From 6159c3367bb3c5745dc3a6962daa0ca81f34fc85 Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Mon, 6 Jun 2022 18:57:23 +0300 Subject: [PATCH 01/49] M365 Business Premium update path https://github.com/MicrosoftDocs/windows-itpro-docs/issues/10407 --- windows/deployment/windows-10-subscription-activation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 2b534e585f..42fc531050 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -30,6 +30,8 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. +If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). + The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. See the following topics: From 4dd6d377b583e71ce35a3d0526fcab5d2d5e822a Mon Sep 17 00:00:00 2001 From: VLG17 <41186174+VLG17@users.noreply.github.com> Date: Tue, 7 Jun 2022 08:51:06 +0300 Subject: [PATCH 02/49] Update windows/deployment/windows-10-subscription-activation.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/deployment/windows-10-subscription-activation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 42fc531050..a9a1139765 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -30,7 +30,7 @@ Windows 10 Pro supports the Subscription Activation feature, enabling users to With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**. -If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](https://docs.microsoft.com/en-us/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). +If you have devices that are licensed for Windows 7, 8, and 8.1 Professional, Microsoft 365 Business Premium provides an upgrade to Windows 10 Pro, which is the prerequisite for deploying [Windows 10 Business](/microsoft-365/business-premium/microsoft-365-business-faqs?view=o365-worldwide#what-is-windows-10-business). The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices. From 31a2c426943eae7b1369558d564d8dfef0d824c9 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Wed, 8 Jun 2022 09:50:49 +0200 Subject: [PATCH 03/49] #10340 #10340 the feedback was about stressing that a step is not needed for Windows Server 2019. I discovered that this is already mentioned in the article, so I made that statement bold to make it stand out. --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 53a69d9ca8..35d754ebe4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -25,7 +25,9 @@ ms.reviewer: - On-premises deployment - Certificate trust -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. +The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. + +**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.** Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. From fe0b1343e3c29d31b131c78396dd6c9584f67566 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Wed, 8 Jun 2022 10:11:58 +0200 Subject: [PATCH 04/49] #10356 #10356 I followed the discussion on the original post and I implemented these changes accordingly --- .../hello-for-business/hello-cert-trust-policy-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 18e5489911..dc18e09acc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 3. Right-click **Group Policy object** and select **New**. 4. Type *Enable Windows Hello for Business* in the name box and click **OK**. 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration**. +6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. @@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration**. +4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. 6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. From 14d52784f84f4299207d60613f2914945f51575a Mon Sep 17 00:00:00 2001 From: Florian Stosse Date: Wed, 8 Jun 2022 17:05:19 +0200 Subject: [PATCH 05/49] Fix indentation in XML code block --- .../microsoft-recommended-block-rules.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index 0fbd505f00..ddc280cfb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -162,7 +162,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -877,7 +877,7 @@ Select the correct version of each .dll for the Windows release you plan to supp - + @@ -905,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp + + + + --> From 8422c4ed7ae744192f99f7ccfb881260fedddc0e Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Wed, 8 Jun 2022 21:28:21 +0530 Subject: [PATCH 06/49] added curly brackets as per user report #10583, I added curly brackets. but i could not able add the correct screenshot. --- .../hello-for-business/passwordless-strategy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 8ca6538d48..74765dffac 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -251,7 +251,7 @@ You can use Group Policy to deploy an administrative template policy setting to :::image type="content" source="images/passwordless/gpmc-exclude-credential-providers.png" alt-text="The Group Policy Management Editor displaying the location of 'Logon' node and the policy setting 'Exclude credential providers'."::: -The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `60b78e88-ead8-445c-9cfd-0b87f74ea6cd`. +The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is `{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}`. :::image type="content" source="images/passwordless/exclude-credential-providers-properties.png" alt-text="Properties of the policy setting 'Exclude credential providers'."::: From 76a1a78899f4f14af0caa4ad18efd3fb9fa2524e Mon Sep 17 00:00:00 2001 From: Mark Renoden Date: Fri, 10 Jun 2022 11:10:50 +1000 Subject: [PATCH 07/49] Update hello-hybrid-cloud-trust.md Adding a clarification for the 2016+ Domain Controller requirements. --- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index a86fb2633a..cfc435c989 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -48,6 +48,8 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). +If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. + ## Prerequisites | Requirement | Notes | From 6519ec617ac73aa271cc60b156a0717497feed97 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 11:22:24 +0500 Subject: [PATCH 08/49] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...defender-application-control-with-dynamic-code-security.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index b1ace98992..ecf7941e63 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -24,7 +24,7 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. -When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. +When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources (any non-local sources, such as Internet or network share). Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. @@ -39,4 +39,4 @@ To enable Dynamic Code Security, add the following option to the `` secti -``` \ No newline at end of file +``` From 55e8d06d7f24e423d0b58077342beb178737c5fe Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 11:58:59 +0500 Subject: [PATCH 09/49] Update system-failure-recovery-options.md --- .../system-failure-recovery-options.md | 60 ++++++++++++++++++- 1 file changed, 59 insertions(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 777b9fa6ec..5ea73e75a2 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -184,6 +184,63 @@ To specify that you don't want to overwrite any previous kernel or complete memo - Set the **Overwrite** DWORD value to **0**. +#### Automatic Memory Dump + +The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. + +If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). + +To specify that you want to use a automatic memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugInfoType = 7 + ``` + +- Set the **CrashDumpEnabled** DWORD value to **7**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the **DumpFile** Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + +#### Active Memory Dump + +An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump. + +This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). + +To specify that you want to use an active memory dump file, modify the registry value: + +- Set the **CrashDumpEnabled** DWORD value to **1**. +- Set the **FilterPages** DWORD value to **1**. + +To specify that you want to use a file as your memory dump file, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set DebugFilePath = + ``` + +- Set the DumpFile Expandable String Value to \. + +To specify that you don't want to overwrite any previous kernel or complete memory dump files, run the following command or modify the registry value: + +- ```cmd + wmic recoveros set OverwriteExistingDebugFile = 0 + ``` + +- Set the **Overwrite** DWORD value to **0**. + >[!Note] >If you contact Microsoft Support about a Stop error, you might be asked for the memory dump file that is generated by the Write Debugging Information option. @@ -192,6 +249,7 @@ To view system failure and recovery settings for your local computer, type **wmi >[!Note] >To successfully use these Wmic.exe command line examples, you must be logged on by using a user account that has administrative rights on the computer. If you are not logged on by using a user account that has administrative rights on the computer, use the **/user:user_name** and **/password:password** switches. + ### Tips - To take advantage of the dump file feature, your paging file must be on the boot volume. If you've moved the paging file to another volume, you must move it back to the boot volume before you use this feature. @@ -202,4 +260,4 @@ To view system failure and recovery settings for your local computer, type **wmi ## References -[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) \ No newline at end of file +[Varieties of Kernel-Mode Dump Files](/windows-hardware/drivers/debugger/varieties-of-kernel-mode-dump-files) From 6208eafa2a95d677e4dc4786e0f323cda7e73ca3 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 10 Jun 2022 13:23:58 +0500 Subject: [PATCH 10/49] Update hello-feature-dynamic-lock.md --- .../hello-for-business/hello-feature-dynamic-lock.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 7025fb4173..6f5edfb03b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -25,6 +25,9 @@ ms.reviewer: Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +>[!IMPORTANT] +>The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it. + You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. The Group Policy Editor, when the policy is enabled, creates a default signal rule policy with the following value: From a16337c48f4ef972dc3b6c937b503f685b879688 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:13 +0500 Subject: [PATCH 11/49] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 5ea73e75a2..8758e25c63 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -186,7 +186,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo #### Automatic Memory Dump -The default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. +This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). From f796ba6826e724296c97c01156087fa500963e5b Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:23 +0500 Subject: [PATCH 12/49] Update windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-feature-dynamic-lock.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 6f5edfb03b..cd2812800e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -25,8 +25,8 @@ ms.reviewer: Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. ->[!IMPORTANT] ->The feature only locks the computer if Bluetooth signal falls and the system is idle. If the system is not idle (for example, intruder got access **before** Bluetooth signal falls below the limit), it will not be locked. Therefor, dynamic lock is an additional barrier, it does not replace the need to lock the computer by user, it only reduces the probability of someone gaining access if user forgets to lock it. +> [!IMPORTANT] +> The feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system is not idle (for example, the intruder got access **before** the Bluetooth signal falls below the limit), it will not be locked. Therefore, the dynamic lock feature is an additional barrier, it does not replace the need to lock the computer by the user, it only reduces the probability of someone gaining access if the user forgets to lock it. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. From 165ca3756c3e03ed6f75fd8a60654ad8a9d364a5 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:28 +0500 Subject: [PATCH 13/49] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 8758e25c63..a69c702060 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -216,7 +216,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo #### Active Memory Dump -An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a complete memory dump. +An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). From feabf31b3a21c580174a37b7f3c1e9d4900a7a17 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:32 +0500 Subject: [PATCH 14/49] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index a69c702060..3f77ed5794 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -190,7 +190,7 @@ This is the default option. An Automatic Memory Dump contains the same informati If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). -To specify that you want to use a automatic memory dump file, run the following command or modify the registry value: +To specify that you want to use an automatic memory dump file, run the following command or modify the registry value: - ```cmd wmic recoveros set DebugInfoType = 7 From 670514fa1b5c2eb7750148d930f5284f6818408f Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 12 Jun 2022 15:03:38 +0500 Subject: [PATCH 15/49] Update windows/client-management/system-failure-recovery-options.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/system-failure-recovery-options.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index 3f77ed5794..b1cbad90d2 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -218,7 +218,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. -This dump file does include any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). +This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). To specify that you want to use an active memory dump file, modify the registry value: From 18551c254f1571b2333af303c2a5d86ea8712114 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 12 Jun 2022 15:25:10 +0200 Subject: [PATCH 16/49] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index dc18e09acc..8c6cd85e3c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -60,7 +60,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 3. Right-click **Group Policy object** and select **New**. 4. Type *Enable Windows Hello for Business* in the name box and click **OK**. 5. In the content pane, right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -6. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). +6. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**. 8. In the content pane, double-click **Use Windows Hello for Business**. Click **Enable** and click **OK**. 9. Double-click **Use certificate for on-premises authentication**. Click **Enable** and click **OK**. Close the **Group Policy Management Editor**. From 66e81da09ddfc8d17f485cdaf3672a1a4afedae7 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Sun, 12 Jun 2022 15:25:18 +0200 Subject: [PATCH 17/49] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-policy-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 8c6cd85e3c..8e344e9b31 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -70,7 +70,7 @@ The Group Policy object contains the policy settings needed to trigger Windows H 1. Start the **Group Policy Management Console** (gpmc.msc). 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. 3. Right-click the **Enable Windows Hello for Business** Group Policy object and click **Edit**. -4. In the navigation pane, expand **Policies** under **User Configuration** (this the only option for for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). +4. In the navigation pane, expand **Policies** under **User Configuration** (this is the only option for Windows Server 2016, but for Windows Server 2019 and later this step can also be done in **Computer Configuration**). 5. Expand **Windows Settings > Security Settings**, and click **Public Key Policies**. 6. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 7. Select **Enabled** from the **Configuration Model** list. From 19119c4179ba728216eb1cd7508f5db8d0fc6095 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 14 Jun 2022 15:05:52 +0200 Subject: [PATCH 18/49] #10364 #10364 --- .../applocker/script-rules-in-applocker.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 48095da0ce..0daa8696c8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -29,6 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). + This topic describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: @@ -46,6 +47,9 @@ The following table lists the default rules that are available for the script ru | Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| | Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*| +>[!NOTE] +>Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs. + ## Related topics - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) From b54238312d20f7a29714179d9536fe1bfabd07dc Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 14 Jun 2022 15:24:06 +0200 Subject: [PATCH 19/49] #10384 #10384 --- ...ty-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index f53a1e1665..a4973e313a 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -25,6 +25,9 @@ ms.technology: windows-sec Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. + +>[!NOTE] +>To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md) ## Reference The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. From 8c08b60f3ed7a16b4f5dfe6ee98e193671a3a74a Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 14 Jun 2022 15:26:06 +0200 Subject: [PATCH 20/49] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 35d754ebe4..22b2eb2e66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -25,7 +25,7 @@ ms.reviewer: - On-premises deployment - Certificate trust -The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. +The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. **If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.** From 1b41f5d390694de82096210c25d07d97d39af19b Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 14 Jun 2022 15:26:53 +0200 Subject: [PATCH 21/49] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 22b2eb2e66..e1bb8e2f6e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -27,7 +27,8 @@ ms.reviewer: The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. -**If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the 'Updating the Schema' and 'Create the KeyCredential Admins Security Global Group' steps below.** +> [!NOTE] +> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.** Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. From cb967191c257d57de2b1145cf2c732f4f72443af Mon Sep 17 00:00:00 2001 From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com> Date: Wed, 15 Jun 2022 18:40:23 +0200 Subject: [PATCH 22/49] Set Policy Driven Update path's are wrong All Updates SetPolicyDrivenUpdateSource path's are wrong - there needs an "Updates" added to the settings name. Verified under 21H2 -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Update --- .../mdm/policy-csp-update.md | 34 +++++++++---------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 4c9d94d790..b06a5e7de2 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3478,7 +3478,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForDriver** +**Update/SetPolicyDrivenUpdateSourceForDriverUpdates** The table below shows the applicability of Windows: @@ -3508,9 +3508,9 @@ The table below shows the applicability of Windows: Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] >If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3536,7 +3536,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForFeature** +**Update/SetPolicyDrivenUpdateSourceForFeatureUpdates** The table below shows the applicability of Windows: @@ -3566,9 +3566,9 @@ The table below shows the applicability of Windows: Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForDriver -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] >If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3594,7 +3594,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForOther** +**Update/SetPolicyDrivenUpdateSourceForOtherUpdates** The table below shows the applicability of Windows: @@ -3624,9 +3624,9 @@ The table below shows the applicability of Windows: Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForQuality -- SetPolicyDrivenUpdateSourceForDriver +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForQualityUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates >[!NOTE] >If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -3652,7 +3652,7 @@ The following list shows the supported values:
-**Update/SetPolicyDrivenUpdateSourceForQuality** +**Update/SetPolicyDrivenUpdateSourceForQualityUpdates** The table below shows the applicability of Windows: @@ -3682,9 +3682,9 @@ The table below shows the applicability of Windows: Configure this policy to specify whether to receive Windows Driver Updates from Windows Update endpoint, managed by Windows Update for Business policies, or through your configured Windows Server Update Service (WSUS) server. If you configure this policy, also configure the scan source policies for other update types: -- SetPolicyDrivenUpdateSourceForFeature -- SetPolicyDrivenUpdateSourceForDriver -- SetPolicyDrivenUpdateSourceForOther +- SetPolicyDrivenUpdateSourceForFeatureUpdates +- SetPolicyDrivenUpdateSourceForDriverUpdates +- SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] >If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. @@ -4013,4 +4013,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From c20c99a86a0e3ee86a6b3ffff72c6b75593e2ff0 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 15 Jun 2022 14:27:05 -0700 Subject: [PATCH 23/49] Update policy-csp-update.md --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index b06a5e7de2..cce978a298 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -7,7 +7,7 @@ ms.prod: w10 ms.technology: windows author: dansimp ms.localizationpriority: medium -ms.date: 03/18/2022 +ms.date: 06/15/2022 ms.reviewer: manager: dansimp ms.collection: highpri From 6d075ad8eb48607df0038b9de7a12fc20bd3f4f7 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 15 Jun 2022 14:33:16 -0700 Subject: [PATCH 24/49] Update network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md --- ...estrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index a4973e313a..9453c4b573 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 06/15/2022 ms.technology: windows-sec --- @@ -26,8 +26,9 @@ ms.technology: windows-sec Describes the best practices, location, values, management aspects, and security considerations for the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** security policy setting. ->[!NOTE] ->To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](https://github.com/MicrosoftDocs/windowsserverdocs/edit/main/WindowsServerDocs/remote/remote-desktop-services/clients/remote-desktop-allow-access.md) +> [!NOTE] +> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access) + ## Reference The **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** policy setting allows you to deny or audit outgoing NTLM traffic from a computer running Windows 7, Windows Server 2008, or later to any remote server running the Windows operating system. From 1c082992e615bdf995feec9306d0086ef644dbd9 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 15 Jun 2022 14:36:26 -0700 Subject: [PATCH 25/49] Update script-rules-in-applocker.md --- .../applocker/script-rules-in-applocker.md | 30 +++++++++---------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 0daa8696c8..a39cc39fd3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 09/21/2017 +ms.date: 06/15/2022 ms.technology: windows-sec --- @@ -26,30 +26,30 @@ ms.technology: windows-sec - Windows 11 - Windows Server 2016 and above ->[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> [!NOTE] +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic describes the file formats and available default rules for the script rule collection. +This article describes the file formats and available default rules for the script rule collection. AppLocker defines script rules to include only the following file formats: -- .ps1 -- .bat -- .cmd -- .vbs -- .js +- `.ps1` +- `.bat` +- `.cmd` +- `.vbs` +- `.js` The following table lists the default rules that are available for the script rule collection. | Purpose | Name | User | Rule condition type | | - | - | - | - | -| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: *| -| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: %windir%\*| -| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: %programfiles%\*| +| Allows members of the local Administrators group to run all scripts| (Default Rule) All scripts| BUILTIN\Administrators | Path: `*\` | +| Allow all users to run scripts in the Windows folder| (Default Rule) All scripts located in the Windows folder| Everyone | Path: `%windir%\*` | +| Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| ->[!NOTE] ->Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs. +> [!NOTE] +> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs. -## Related topics +## Related articles - [Understanding AppLocker default rules](understanding-applocker-default-rules.md) From dffa3bc0c690f37e84768882928ceb21819a00f1 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 15 Jun 2022 14:37:23 -0700 Subject: [PATCH 26/49] Update script-rules-in-applocker.md --- .../applocker/script-rules-in-applocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index a39cc39fd3..14bf0eec35 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru | Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| > [!NOTE] -> Windows Defender Application Control cannot be used to block Powershell scripts. Applocker just forces Powershell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event - which literally states the script will be blocked. After which the script runs. +> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. ## Related articles From a317f8cb080e88fd35fa7daccf51ca6eaa9cff7b Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 15 Jun 2022 14:40:56 -0700 Subject: [PATCH 27/49] Update use-windows-defender-application-control-with-dynamic-code-security.md --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 6b32d76c52..3720558b80 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 09/23/2021 +ms.date: 06/15/2022 ms.technology: windows-sec --- From 46e8636041b5f7d37ba9f0a16d005fdb1ba0b836 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 16 Jun 2022 05:58:39 +0500 Subject: [PATCH 28/49] Update policy-csp-newsandinterests.md --- .../mdm/policy-csp-newsandinterests.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-newsandinterests.md b/windows/client-management/mdm/policy-csp-newsandinterests.md index 5d8350eed5..6eb42f6671 100644 --- a/windows/client-management/mdm/policy-csp-newsandinterests.md +++ b/windows/client-management/mdm/policy-csp-newsandinterests.md @@ -34,11 +34,11 @@ manager: dansimp |Edition|Windows 10|Windows 11| |--- |--- |--- | |Home|No|No| -|Pro|Yes|Yes| +|Pro|No|Yes| |Windows SE|No|Yes| -|Business|Yes|Yes| -|Enterprise|Yes|Yes| -|Education|Yes|Yes| +|Business|No|Yes| +|Enterprise|No|Yes| +|Education|No|Yes|
@@ -83,4 +83,4 @@ ADMX Info: ## Related topics -[Policy configuration service provider](policy-configuration-service-provider.md) \ No newline at end of file +[Policy configuration service provider](policy-configuration-service-provider.md) From f622faf1f8130332b2c5da457dd5b01295398c7d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 16 Jun 2022 06:49:21 +0500 Subject: [PATCH 29/49] Update interactive-logon-do-not-require-ctrl-alt-del.md --- .../interactive-logon-do-not-require-ctrl-alt-del.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 4131998946..867bda657e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -36,6 +36,9 @@ Microsoft developed this feature to make it easier for users with certain types A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. +>[!NOTE] +>When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well. + ### Possible values - Enabled From 309b18cc5b7ede21c2f6e2fe776d4832ff50d6eb Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 17 Jun 2022 09:58:39 +0500 Subject: [PATCH 30/49] Update edit-an-applocker-policy.md --- .../applocker/edit-an-applocker-policy.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 811e3ab499..7c697728f5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -40,7 +40,9 @@ There are three methods you can use to edit an AppLocker policy: - [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) ## Editing an AppLocker policy by using Mobile Device Management (MDM) +If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node. +For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). ## Editing an AppLocker policy by using Group Policy From 50e6636ce877b0d0c658c71a17ef2bfc274718bf Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 17 Jun 2022 14:59:30 +0500 Subject: [PATCH 31/49] Update kernel-dma-protection-for-thunderbolt.md --- .../kernel-dma-protection-for-thunderbolt.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 1d0b0ea803..400250bf8d 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -92,7 +92,10 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to - Reboot system into Windows. >[!NOTE] - > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). + > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. + + >[!NOTE] + > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. From 4bc96cd544f814598bb6dc2ab7fae500c5e29691 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 17 Jun 2022 15:01:19 +0500 Subject: [PATCH 32/49] Update windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../interactive-logon-do-not-require-ctrl-alt-del.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 867bda657e..028bd47b3f 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -36,8 +36,8 @@ Microsoft developed this feature to make it easier for users with certain types A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. ->[!NOTE] ->When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value need to be removed as well. +> [!NOTE] +> When the policy is defined, registry value **DisableCAD** located in **HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System** is created. To revert the changes made by this policy, it is not enough to set its value to **Not defined**, this registry value needs to be removed as well. ### Possible values From feb179fa52f5a26b848e00cf31c29dd10bd6b16d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Fri, 17 Jun 2022 15:02:30 +0500 Subject: [PATCH 33/49] Update windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../applocker/edit-an-applocker-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 7c697728f5..b96a2525dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -40,7 +40,7 @@ There are three methods you can use to edit an AppLocker policy: - [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo) ## Editing an AppLocker policy by using Mobile Device Management (MDM) -If you deployed AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of policy node. +If you deployed the AppLocker policy using the AppLocker configuration service provider, you can edit the policies in your MDM solution by altering the content in the string value of the policy node. For more information, see the [AppLocker CSP](/windows/client-management/mdm/applocker-csp). From a710084b28d6ff1b8c2d7960c9a91a51d23dda59 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Jun 2022 10:30:14 +0500 Subject: [PATCH 34/49] Update windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 400250bf8d..6a487163f9 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -92,7 +92,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to - Reboot system into Windows. >[!NOTE] - > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown on the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. + > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. >[!NOTE] > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). From 744379863d5164ea3c894ca9f43f2815116cac9a Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Jun 2022 10:30:26 +0500 Subject: [PATCH 35/49] Update windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 6a487163f9..80250e13f2 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -94,7 +94,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to >[!NOTE] > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. - >[!NOTE] + > [!NOTE] > Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. From e3b3a40d6ff1b08902a20f607297e2fb642c1080 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sat, 18 Jun 2022 10:31:32 +0500 Subject: [PATCH 36/49] Update windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../kernel-dma-protection-for-thunderbolt.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 80250e13f2..4460e09f34 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -91,7 +91,7 @@ Beginning with Windows 10 version 1809, you can use the Windows Security app to - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows. - >[!NOTE] + > [!NOTE] > If the **Hyper-V** Windows feature is enabled, all the Hyper-V-related features will be hidden, and **A hypervisor has been detected. Features required for Hyper-V will not be displayed** entity will be shown at the bottom of the list. It means that **Hyper-V - Virtualization Enabled in Firmware** is set to YES. > [!NOTE] From c92a5e0e6927081ff6c4f963d4beee47521bb90a Mon Sep 17 00:00:00 2001 From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com> Date: Mon, 20 Jun 2022 09:11:34 +0200 Subject: [PATCH 37/49] Update windows/client-management/mdm/policy-csp-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index cce978a298..77f35e5754 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3687,7 +3687,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. From 845f03172dc8cfbb78731eff710342ad47f9b818 Mon Sep 17 00:00:00 2001 From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com> Date: Mon, 20 Jun 2022 09:11:42 +0200 Subject: [PATCH 38/49] Update windows/client-management/mdm/policy-csp-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 77f35e5754..2ab0e8e657 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3571,7 +3571,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. From 3d016d5abd51705d4912cb852840328a6c84c8b5 Mon Sep 17 00:00:00 2001 From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com> Date: Mon, 20 Jun 2022 09:11:50 +0200 Subject: [PATCH 39/49] Update windows/client-management/mdm/policy-csp-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 2ab0e8e657..04dd37b084 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3629,7 +3629,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForDriverUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. From aca0ce5659c2e9eb95dfd090261b1062c6fe0ab1 Mon Sep 17 00:00:00 2001 From: GrischaE1 <54313015+GrischaE1@users.noreply.github.com> Date: Mon, 20 Jun 2022 09:11:57 +0200 Subject: [PATCH 40/49] Update windows/client-management/mdm/policy-csp-update.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/mdm/policy-csp-update.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-update.md b/windows/client-management/mdm/policy-csp-update.md index 04dd37b084..69a315b2b4 100644 --- a/windows/client-management/mdm/policy-csp-update.md +++ b/windows/client-management/mdm/policy-csp-update.md @@ -3513,7 +3513,7 @@ If you configure this policy, also configure the scan source policies for other - SetPolicyDrivenUpdateSourceForOtherUpdates >[!NOTE] ->If you have not properly configured Update/UpdateServiceUrl correctly to point your WSUS server, this policy will have no effect. +>If you have not properly configured Update/UpdateServiceUrl correctly to point to your WSUS server, this policy will have no effect. From 5a171c035ff28ce31c70fd203886eeaa7dc5badb Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 21 Jun 2022 12:10:35 +0200 Subject: [PATCH 41/49] Update windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-cert-trust-validate-ad-prereq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index e1bb8e2f6e..9174af8148 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -28,7 +28,7 @@ ms.reviewer: The key registration process for the on-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. > [!NOTE] -> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow.** +> If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the "Updating the Schema" and "Create the KeyCredential Admins Security Global Group" steps that follow. Manually updating Active Directory uses the command-line utility **adprep.exe** located at **\:\support\adprep** on the Windows Server 2016 or later DVD or ISO. Before running adprep.exe, you must identify the domain controller hosting the schema master role. From eea3f1f959aebf019324d8c95d4975c8a4c6b5e3 Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 21 Jun 2022 12:13:34 +0200 Subject: [PATCH 42/49] Update windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../applocker/script-rules-in-applocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 14bf0eec35..aee609a7fd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -48,7 +48,7 @@ The following table lists the default rules that are available for the script ru | Allow all users to run scripts in the Program Files folder| (Default Rule) All scripts located in the Program Files folder|Everyone | Path: `%programfiles%\*`| > [!NOTE] -> Windows Defender Application Control cannot be used to block PowerShell scripts. Applocker just forces PowerShell scripts to be run in Constrained Language Mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. +> Windows Defender Application Control cannot be used to block PowerShell scripts. AppLocker just forces PowerShell scripts to be run in Constrained Language mode. Also note that in cases where a PS1 script is "blocked", AppLocker generates an 8007 event, which states that the script will be blocked, but then the script runs. ## Related articles From 7ba112e7445142bc6fd2b9e2a8023fbb7259c94b Mon Sep 17 00:00:00 2001 From: Michael Nady Date: Tue, 21 Jun 2022 12:14:03 +0200 Subject: [PATCH 43/49] Update windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index 9453c4b573..f4c0cda9aa 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, management aspects, and security > [!NOTE] -> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access) +> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access). ## Reference From d805e985be0295efa4ffc8b558bd98ec27dff6e6 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 12 Jul 2022 16:26:03 -0700 Subject: [PATCH 44/49] Update windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index cfc435c989..d55c06e785 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -48,7 +48,7 @@ When you enable Azure AD Kerberos in a domain, an Azure AD Kerberos Server objec More details on how Azure AD Kerberos enables access to on-premises resources are available in our documentation on [enabling passwordless security key sign-in to on-premises resources](/azure/active-directory/authentication/howto-authentication-passwordless-security-key-on-premises). There's more information on how Azure AD Kerberos works with Windows Hello for Business cloud trust in the [Windows Hello for Business authentication technical deep dive](hello-how-it-works-authentication.md#hybrid-azure-ad-join-authentication-using-azure-ad-kerberos-cloud-trust-preview). -If using the hybrid cloud trust deployment model, you MUST ensure that you have adequate (1 or more, depending on your authentication load) Windows Server 2016 or later Read-Write Domain Controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. +If you're using the hybrid cloud trust deployment model, you _must_ ensure that you have adequate (one or more, depending on your authentication load) Windows Server 2016 or later read-write domain controllers in each Active Directory site where users will be authenticating for Windows Hello for Business. ## Prerequisites From 2ba0d7d509f722ec581191c1539335a1ec36049b Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 12 Jul 2022 16:29:20 -0700 Subject: [PATCH 45/49] editorial revision --- ...s-defender-application-control-with-dynamic-code-security.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 3720558b80..b00d8dca38 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -24,7 +24,7 @@ Historically, Windows Defender Application Control (WDAC) has restricted the set Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. Beginning with Windows 10, version 1803, or Windows 11, Windows Defender Application Control features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. -When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources (any non-local sources, such as Internet or network share). +When the Dynamic Code Security option is enabled, Application Control policy is applied to libraries that .NET loads from external sources. For example, any non-local sources, such as the internet or a network share. Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. From 300f50b7e13cdd79e1695cd520b741d0439d1d5a Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 12 Jul 2022 16:34:20 -0700 Subject: [PATCH 46/49] fix links --- .../client-management/system-failure-recovery-options.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/system-failure-recovery-options.md b/windows/client-management/system-failure-recovery-options.md index b1cbad90d2..45ab9b85d6 100644 --- a/windows/client-management/system-failure-recovery-options.md +++ b/windows/client-management/system-failure-recovery-options.md @@ -7,7 +7,7 @@ ms.topic: troubleshooting author: Deland-Han ms.localizationpriority: medium ms.author: delhan -ms.date: 8/22/2019 +ms.date: 07/12/2022 ms.reviewer: dcscontentpm manager: dansimp --- @@ -188,7 +188,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo This is the default option. An Automatic Memory Dump contains the same information as a Kernel Memory Dump. The difference between the two is in the way that Windows sets the size of the system paging file. If the system paging file size is set to **System managed size**, and the kernel-mode crash dump is set to **Automatic Memory Dump**, then Windows can set the size of the paging file to less than the size of RAM. In this case, Windows sets the size of the paging file large enough to ensure that a kernel memory dump can be captured most of the time. -If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more details, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). +If the computer crashes and the paging file is not large enough to capture a kernel memory dump, Windows increases the size of the paging file to at least the size of RAM. For more information, see [Automatic Memory Dump](/windows-hardware/drivers/debugger/automatic-memory-dump). To specify that you want to use an automatic memory dump file, run the following command or modify the registry value: @@ -218,7 +218,7 @@ To specify that you don't want to overwrite any previous kernel or complete memo An Active Memory Dump is similar to a Complete Memory Dump, but it filters out pages that are not likely to be relevant to troubleshooting problems on the host machine. Because of this filtering, it is typically significantly smaller than a Complete Memory Dump. -This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more details, see [Active Memory Dump](windows-hardware/drivers/debugger/active-memory-dump). +This dump file includes any memory allocated to user-mode applications. It also includes memory allocated to the Windows kernel and hardware abstraction layer, as well as memory allocated to kernel-mode drivers and other kernel-mode programs. The dump includes active pages mapped into the kernel or user space that are useful for debugging, as well as selected Pagefile-backed Transition, Standby, and Modified pages such as the memory allocated with VirtualAlloc or page-file-backed sections. Active dumps do not include pages on the free and zeroed lists, the file cache, guest VM pages, and various other types of memory that are not likely to be useful during debugging. For more information, see [Active Memory Dump](/windows-hardware/drivers/debugger/active-memory-dump). To specify that you want to use an active memory dump file, modify the registry value: From dcaa564b27f23bd35aeabb56e31f1d771c6c2ba8 Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 12 Jul 2022 16:38:48 -0700 Subject: [PATCH 47/49] edititorial revision --- .../hello-for-business/hello-feature-dynamic-lock.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index cd2812800e..cbdcb1ce5b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -13,7 +13,7 @@ manager: dansimp ms.collection: M365-identity-device-management ms.topic: article localizationpriority: medium -ms.date: 09/09/2019 +ms.date: 07/12/2022 ms.reviewer: --- @@ -26,7 +26,7 @@ ms.reviewer: Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. > [!IMPORTANT] -> The feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system is not idle (for example, the intruder got access **before** the Bluetooth signal falls below the limit), it will not be locked. Therefore, the dynamic lock feature is an additional barrier, it does not replace the need to lock the computer by the user, it only reduces the probability of someone gaining access if the user forgets to lock it. +> This feature only locks the computer if the Bluetooth signal falls and the system is idle. If the system isn't idle (for example, an intruder gets access _before_ the Bluetooth signal falls below the limit), the device won't lock. Therefore, the dynamic lock feature is an additional barrier. It doesn't replace the need for the user to lock the computer. It only reduces the probability of someone gaining access if the user forgets to lock it. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. From 03f435394999471890c5d32ecb68cbfa8573541a Mon Sep 17 00:00:00 2001 From: Aaron Czechowski Date: Tue, 12 Jul 2022 16:43:33 -0700 Subject: [PATCH 48/49] editorial revision --- ...ity-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md index f4c0cda9aa..4c05d8bea2 100644 --- a/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md +++ b/windows/security/threat-protection/security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, management aspects, and security > [!NOTE] -> To learn more about configuring a server to be accessed remotely, check [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access). +> For more information about configuring a server to be accessed remotely, see [Remote Desktop - Allow access to your PC](/windows-server/remote/remote-desktop-services/clients/remote-desktop-allow-access). ## Reference From e838504fe6eaed99dc16dfeb68a8efa2a0832f68 Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Tue, 12 Jul 2022 17:10:20 -0700 Subject: [PATCH 49/49] Update hello-hybrid-cloud-trust.md https://microsoft-ce-csi.acrolinx.cloud/api/v1/checking/scorecards/50b68978-5308-45d9-bc1a-662fd43b5e69#CORRECTNESS Line 21: sign in > sign-in --- .../hello-for-business/hello-hybrid-cloud-trust.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md index 9bbad19bf1..1f4f7f1f17 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-trust.md @@ -18,7 +18,7 @@ Applies to - Windows 10, version 21H2 - Windows 11 and later -Windows Hello for Business replaces username and password Windows sign in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. +Windows Hello for Business replaces username and password Windows sign-in with strong authentication using an asymmetric key pair. The following deployment guide provides the information needed to successfully deploy Windows Hello for Business in a hybrid cloud trust scenario. ## Introduction to Cloud Trust