From 297c11359e7a91e36a29bb17c4d6f1a6cf4f65a9 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 09:54:03 +0530 Subject: [PATCH 01/20] 5358700- Batch 01- Windows 11 Update WINDOWS: Hello for Business update for W11 --- .../feature-multifactor-unlock.md | 17 +++++++++-------- .../hello-aad-join-cloud-only-deploy.md | 4 ++-- .../hello-adequate-domain-controllers.md | 4 ++-- .../hello-and-password-changes.md | 6 ++++-- .../hello-biometrics-in-enterprise.md | 6 ++++-- .../hello-cert-trust-adfs.md | 1 + .../hello-cert-trust-policy-settings.md | 15 ++++++++------- .../hello-cert-trust-validate-ad-prereq.md | 8 ++++---- .../hello-cert-trust-validate-deploy-mfa.md | 7 ++++--- .../hello-cert-trust-validate-pki.md | 9 +++++---- .../hello-deployment-cert-trust.md | 1 + .../hello-deployment-guide.md | 3 ++- .../hello-deployment-issues.md | 7 ++++--- .../hello-deployment-key-trust.md | 1 + .../hello-deployment-rdp-certs.md | 1 + .../hello-errors-during-pin-creation.md | 6 ++++-- .../hello-for-business/hello-event-300.md | 10 ++++++---- .../hello-feature-dual-enrollment.md | 10 +++++----- .../hello-feature-dynamic-lock.md | 8 ++++---- .../hello-feature-pin-reset.md | 6 ++++-- .../hello-feature-remote-desktop.md | 7 ++++--- .../hello-how-it-works-authentication.md | 4 +++- .../hello-how-it-works-provisioning.md | 7 ++++--- .../hello-how-it-works-technology.md | 19 ++++++++++--------- .../retired/hello-how-it-works.md | 16 +++++++++------- 25 files changed, 105 insertions(+), 78 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index f80ffec25c..2fe1b87295 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -1,6 +1,6 @@ --- title: Multi-factor Unlock -description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals. +description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor ms.prod: w10 ms.mktglfcycl: deploy @@ -19,17 +19,19 @@ ms.reviewer: # Multi-factor Unlock **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 **Requirements:** * Windows Hello for Business deployment (Hybrid or On-premises) * Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments) -* Windows 10, version 1709 or newer +* Windows 10, version 1709 or newer, or Windows 11 * Bluetooth, Bluetooth capable phone - optional Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system. -Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices. +Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices. Which organizations can take advantage of Multi-factor unlock? Those who: * Have expressed that PINs alone do not meet their security needs. @@ -92,7 +94,7 @@ You represent signal rules in XML. Each signal rule has an starting and ending ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. +Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. |Attribute|Value| @@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f |Health|2304| |Uncategorized|7936| -The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. +The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. @@ -343,11 +345,10 @@ This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) ### How to configure Multifactor Unlock policy settings -You need a Windows 10, version 1709 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1709. +You need at least a Windows 10, version 1709 or later workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business Group Policy settings, which includes multi-factor unlock. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1709 or later. Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10, version 1703 to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information. - ### Create the Multifactor Unlock Group Policy object The Group Policy object contains the policy settings needed to trigger Windows Hello for Business provisioning and to ensure Windows Hello for Business authentication certificates are automatically renewed. diff --git a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md index 850b4b5214..aa4d0faa2f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md +++ b/windows/security/identity-protection/hello-for-business/hello-aad-join-cloud-only-deploy.md @@ -1,6 +1,6 @@ --- title: Azure Active Directory join cloud only deployment -description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 device. +description: Use this deployment guide to successfully use Azure Active Directory to join a Windows 10 or Windows 11 device. keywords: identity, Hello, Active Directory, cloud, ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.reviewer: ## Introduction -When you Azure Active Directory (Azure AD) join a Windows 10 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. +When you Azure Active Directory (Azure AD) join a Windows 10 or Windows 11 device, the system prompts you to enroll in Windows Hello for Business by default. If you want to use Windows Hello for Business in your cloud only environment, then there's no additional configuration needed. You may wish to disable the automatic Windows Hello for Business enrollment prompts if you aren't ready to use it in your environment. Instructions on how to disable Windows Hello for Business enrollment in a cloud only environment are included below. diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md index 25d27e28d3..b317356b81 100644 --- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md +++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md @@ -20,7 +20,7 @@ ms.reviewer: **Applies to** -- Windows 10, version 1703 or later +- Windows 10, version 1703 or later, or Windows 11 - Windows Server, versions 2016 or later - Hybrid or On-Premises deployment - Key trust @@ -32,7 +32,7 @@ ms.reviewer: How can you find out how many domain controllers are needed? You can use performance monitoring on your domain controllers to determine existing authentication traffic. Windows Server 2016 and above includes the KDC AS Requests performance counter. You can use this counter to determine how much of a domain controller's load is due to initial Kerberos authentication. It's important to remember that authentication for a Windows Hello for Business key trust deployment does not affect Kerberos authentication - it remains unchanged. -Windows 10 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. +Windows 10 or Windows 11 accomplishes Windows Hello for Business key trust authentication by mapping an Active Directory user account to one or more public keys. This mapping occurs on the domain controller, which is why the deployment needs Windows Server 2016 or later domain controllers. Public key mapping is only supported by Windows Server 2016 domain controllers and above. Therefore, users in a key trust deployment must authenticate to a Windows Server 2016 and above domain controller. Determining an adequate number of Windows Server domain controllers is important to ensure you have enough domain controllers to satisfy all authentication requests, including users mapped with public key trust. What many administrators do not realize is that adding a domain controller that supports public key mapping (in this case Windows Server 2016 or later) to a deployment of existing domain controllers which do not support public key mapping (Windows Server 2008R2, Windows Server 2012R2) instantly makes that single domain controller susceptible to carrying the most load, or what is commonly referred to as "piling on". To illustrate the "piling on" concept, consider the following scenario: diff --git a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md index 2eb9365b7b..1933fad122 100644 --- a/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md +++ b/windows/security/identity-protection/hello-for-business/hello-and-password-changes.md @@ -1,5 +1,5 @@ --- -title: Windows Hello and password changes (Windows 10) +title: Windows Hello and password changes (Windows) description: When you change your password on a device, you may need to sign in with a password on other devices to reset Hello. ms.assetid: 83005FE4-8899-47A6-BEA9-C17CCA0B6B55 ms.reviewer: @@ -19,7 +19,9 @@ ms.date: 07/27/2017 # Windows Hello and password changes **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 When you set up Windows Hello, the PIN or biometric gesture that you use is specific to that device. You can set up Hello for the same account on multiple devices. If the PIN or biometric is configured as part of Windows Hello for Business, changing the account password will not impact sign-in or unlock with these gestures since it uses a key or certificate. However, if Windows Hello for Business is not deployed and the password for that account changes, you must provide the new password on each device to continue to use Hello. diff --git a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md index d0857ccd72..7dc20cb316 100644 --- a/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md +++ b/windows/security/identity-protection/hello-for-business/hello-biometrics-in-enterprise.md @@ -1,5 +1,5 @@ --- -title: Windows Hello biometrics in the enterprise (Windows 10) +title: Windows Hello biometrics in the enterprise (Windows) description: Windows Hello uses biometrics to authenticate users and guard against potential spoofing, through fingerprint matching and facial recognition. ms.assetid: d3f27d94-2226-4547-86c0-65c84d6df8Bc ms.reviewer: @@ -21,7 +21,9 @@ ms.date: 01/12/2021 # Windows Hello biometrics in the enterprise **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f354ae19d4..4f4f37b876 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 7f7f59156a..3ce38ae8f6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -19,12 +19,13 @@ ms.reviewer: # Configure Windows Hello for Business Policy settings **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust -You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). -Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703. +You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520). +Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later. On-premises certificate-based deployments of Windows Hello for Business needs three Group Policy settings: * Enable Windows Hello for Business @@ -116,9 +117,9 @@ The default Windows Hello for Business enables users to enroll and use biometric ### PIN Complexity -PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. +PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed. -Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: +Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are: * Require digits * Require lowercase letters * Maximum PIN length diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index 57f12a0692..d62bda3427 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -19,10 +19,10 @@ ms.reviewer: # Validate Active Directory prerequisites **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust - +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust The key registration process for the On-premises deployment of Windows Hello for Business needs the Windows Server 2016 Active Directory or later schema. The key-trust model receives the schema extension when the first Windows Server 2016 or later domain controller is added to the forest. The certificate trust model requires manually updating the current schema to the Windows Server 2016 or later schema. If you already have a Windows Server 2016 or later domain controller in your forest, you can skip the **Updating the Schema** and **Create the KeyCredential Admins Security Global Group** steps. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md index 373a03c97c..6a840d43c6 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-deploy-mfa.md @@ -16,19 +16,20 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Deploy Multi-factor Authentication (MFA) +# Validate and Deploy Multifactor Authentication (MFA) **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust -Windows Hello for Business requires all users perform multi-factor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. +Windows Hello for Business requires all users perform multifactor authentication prior to creating and registering a Windows Hello for Business credential. On-premises deployments can use certificates, third-party authentication providers for AD FS, or a custom authentication provider for AD FS as an on-premises MFA option. For information on available third-party authentication methods see [Configure Additional Authentication Methods for AD FS](/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs). For creating a custom authentication method see [Build a Custom Authentication Method for AD FS in Windows Server](/windows-server/identity/ad-fs/development/ad-fs-build-custom-auth-method) -Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multi-factor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). +Follow the integration and deployment guide for the authentication provider you select to integrate and deploy it to AD FS. Make sure that the authentication provider is selected as a multifactor authentication option in the AD FS authentication policy. For information on configuring AD FS authentication policies see [Configure Authentication Policies](/windows-server/identity/ad-fs/operations/configure-authentication-policies). ## Follow the Windows Hello for Business on premises certificate trust deployment guide 1. [Validate Active Directory prerequisites](hello-cert-trust-validate-ad-prereq.md) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index e4950a9581..d84ad9c32f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -19,9 +19,10 @@ ms.reviewer: # Validate and Configure Public Key Infrastructure **Applies to** -- Windows 10, version 1703 or later -- On-premises deployment -- Certificate trust +- Windows 10, version 1703 or later +- Windows 11 +- On-premises deployment +- Certificate trust Windows Hello for Business must have a public key infrastructure regardless of the deployment or trust model. All trust models depend on the domain controllers having a certificate. The certificate serves as a root of trust for clients to ensure they are not communicating with a rogue domain controller. The certificate trust model extends certificate issuance to client computers. During Windows Hello for Business provisioning, the user receives a sign-in certificate. @@ -94,7 +95,7 @@ The certificate template is configured to supersede all the certificate template ### Configure an Internal Web Server Certificate template -Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. +Windows 10 or Windows 11 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. 1. Open the **Certificate Authority** management console. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md index c8f3f83f76..db310a19e8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-cert-trust.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Certificate trust diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md index 1a07013ef3..80a1ca91b3 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-guide.md @@ -21,6 +21,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 Windows Hello for Business is the springboard to a world without passwords. It replaces username and password sign-in to Windows with strong user authentication based on an asymmetric key pair. @@ -41,7 +42,7 @@ This guide assumes that baseline infrastructure exists which meets the requireme - Proper name resolution, both internal and external names - Active Directory and an adequate number of domain controllers per site to support authentication - Active Directory Certificate Services 2012 or later -- One or more workstation computers running Windows 10, version 1703 +- One or more workstation computers running Windows 10, version 1703 or later If you are installing a server role for the first time, ensure the appropriate server operating system is installed, updated with the latest patches, and joined to the domain. This document provides guidance to install and configure the specific roles on that server. diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md index a95d9212e0..30dbcc8929 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-issues.md @@ -27,16 +27,17 @@ Applies to: - Azure AD joined deployments - Windows 10, version 1803 and later +- Windows 11 PIN reset on Azure AD joined devices uses a flow called web sign-in to authenticate the user above lock. Web sign in only allows navigation to specific domains. If it attempts to navigate to a domain that is not allowed it will shows a page with the error message "We can't open that page right now". ### Identifying Azure AD joined PIN Reset Allowed Domains Issue -The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multi-factor authentication. +The user can launch the PIN reset flow from above lock using the "I forgot my PIN" link in the PIN credential provider. Selecting this link will launch a full screen UI for the PIN experience on Azure AD Join devices. Typically, this UI will display an Azure authentication server page where the user will authenticate using Azure AD credentials and complete multifactor authentication. -In federated environments authentication may be configured to route to AD FS or a third party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. +In federated environments authentication may be configured to route to AD FS or a third-party identity provider. If the PIN reset flow is launched and attempts to navigate to a federated identity provider server page, it will fail and display the "We can't open that page right now" error if the domain for the server page is not included in an allow list. -If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allow list. This results in "We can't open that page right now". +If you are a customer of Azure US Government cloud, PIN reset will also attempt to navigate to a domain that is not included in the default allowlist. This results in "We can't open that page right now". ### Resolving Azure AD joined PIN Reset Allowed Domains Issue diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md index e748408fb5..5a5f0334f7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-key-trust.md @@ -20,6 +20,7 @@ ms.reviewer: **Applies to** - Windows 10, version 1703 or later +- Windows 11 - On-premises deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md index 0bbce98b00..260463cdb8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md +++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies To** - Windows 10, version 1703 or later +- Windows 11 - Hybrid deployment - Key trust diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 48a0d130df..f6d78686a8 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -1,5 +1,5 @@ --- -title: Windows Hello errors during PIN creation (Windows 10) +title: Windows Hello errors during PIN creation (Windows) description: When you set up Windows Hello in Windows 10, you may get an error during the Create a work PIN step. ms.assetid: DFEFE22C-4FEF-4FD9-BFC4-9B419C339502 ms.reviewer: @@ -21,7 +21,9 @@ ms.date: 05/05/2018 # Windows Hello errors during PIN creation **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 When you set up Windows Hello in Windows 10, you may get an error during the **Create a PIN** step. This topic lists some of the error codes with recommendations for mitigating the problem. If you get an error code that is not listed here, contact Microsoft Support. diff --git a/windows/security/identity-protection/hello-for-business/hello-event-300.md b/windows/security/identity-protection/hello-for-business/hello-event-300.md index fd2d0dbe71..a41f3c8418 100644 --- a/windows/security/identity-protection/hello-for-business/hello-event-300.md +++ b/windows/security/identity-protection/hello-for-business/hello-event-300.md @@ -1,5 +1,5 @@ --- -title: Event ID 300 - Windows Hello successfully created (Windows 10) +title: Event ID 300 - Windows Hello successfully created (Windows) description: This event is created when a Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). ms.assetid: 0DD59E75-1C5F-4CC6-BB0E-71C83884FF04 ms.reviewer: @@ -21,19 +21,21 @@ ms.date: 07/27/2017 # Event ID 300 - Windows Hello successfully created **Applies to** -- Windows 10 + +- Windows 10 +- Windows 11 This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request. ## Event details -| **Product:** | Windows 10 operating system | +| **Product:** | Windows 10 or Windows 11 operating system | |--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Log:** | Event Viewer > Applications and Service Logs\Microsoft\Windows\User Device Registration\Admin | | **ID:** | 300 | | **Source:** | Microsoft Azure Device Registration Service | -| **Version:** | 10 | +| **Version:** | 10 or 11 | | **Message:** | The NGC key was successfully registered. Key ID: {4476694e-8e3b-4ef8-8487-be21f95e6f07}. UPN:test@contoso.com. Attestation: ATT\_SOFT. Client request ID: . Server request ID: db2da6bd-3d70-4b9b-b26b-444f669902da.
Server response: {"kid":"4476694e-8e3b-4ef8-8487-be21f95e6f07","upn":"test@contoso.com"} | ## Resolve diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md index f62a626f0a..82cb73cd43 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dual-enrollment.md @@ -23,7 +23,7 @@ ms.reviewer: * Hybrid and On-premises Windows Hello for Business deployments * Enterprise joined or Hybrid Azure joined devices -* Windows 10, version 1709 +* Windows 10, version 1709 or later * Certificate trust > [!NOTE] @@ -34,12 +34,12 @@ ms.reviewer: Dual enrollment enables administrators to perform elevated, administrative functions by enrolling both their non-privileged and privileged credentials on their device. -By design, Windows 10 does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. +By design, Windows does not enumerate all Windows Hello for Business users from within a user's session. Using the computer Group Policy setting, **Allow enumeration of emulated smart card for all users**, you can configure a device to enumerate all enrolled Windows Hello for Business credentials on selected devices. -With this setting, administrative users can sign in to Windows 10, version 1709 using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads. +With this setting, administrative users can sign in to Windows 10, version 1709 or later using their non-privileged Windows Hello for Business credentials for normal work flow such as email, but can launch Microsoft Management Consoles (MMCs), Remote Desktop Services clients, and other applications by selecting **Run as different user** or **Run as administrator**, selecting the privileged user account, and providing their PIN. Administrators can also take advantage of this feature with command-line applications by using **runas.exe** combined with the **/smartcard** argument. This enables administrators to perform their day-to-day operations without needing to sign in and out, or use fast user switching when alternating between privileged and non-privileged workloads. > [!IMPORTANT] -> You must configure a Windows 10 computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. +> You must configure a Windows computer for Windows Hello for Business dual enrollment before either user (privileged or non-privileged) provisions Windows Hello for Business. Dual enrollment is a special setting that is configured on the Windows Hello container during creation. ## Configure Windows Hello for Business Dual Enrollment @@ -69,7 +69,7 @@ where **DC=domain,DC=com** is the LDAP path of your Active Directory domain and ### Configuring Dual Enrollment using Group Policy -You configure Windows 10 to support dual enrollment using the computer configuration portion of a Group Policy object. +You configure Windows 10 or Windows 11 to support dual enrollment using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), create a new domain-based Group Policy object and link it to an organizational Unit that contains Active Directory computer objects used by privileged users. 2. Edit the Group Policy object from step 1. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md index 53985965fb..6a880c9a9c 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-dynamic-lock.md @@ -1,6 +1,6 @@ --- title: Dynamic lock -description: Learn how to set Dynamic lock on Windows 10 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. +description: Learn how to set Dynamic lock on Windows 10 and Windows 11 devices, by configuring group policies. This feature locks a device when a Bluetooth signal falls below a set value. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, conditional access ms.prod: w10 ms.mktglfcycl: deploy @@ -21,9 +21,9 @@ ms.reviewer: **Requirements:** -* Windows 10, version 1703 +* Windows 10, version 1703 or later -Dynamic lock enables you to configure Windows 10 devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. +Dynamic lock enables you to configure Windows devices to automatically lock when Bluetooth paired device signal falls below the maximum Received Signal Strength Indicator (RSSI) value. This makes it more difficult for someone to gain access to your device if you step away from your PC and forget to lock it. You configure the dynamic lock policy using Group Policy. You can locate the policy setting at **Computer Configuration\Administrative Templates\Windows Components\Windows Hello for Business**. The name of the policy is **Configure dynamic lock factors**. @@ -54,7 +54,7 @@ For this policy setting, the **type** and **scenario** attribute values are stat |Health|2304| |Uncategorized|7936| -The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10. +The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10. RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md index 2fbed0b012..25b4269de7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md @@ -22,6 +22,7 @@ ms.reviewer: **Applies to:** - Windows 10, version 1709 or later +- Windows 11 Windows Hello for Business provides the capability for users to reset forgotten PINs using the "I forgot my PIN link" from the Sign-in options page in Settings or from above the lock screen. User's are required to authenticate and complete multifactor authentication to reset their PIN. @@ -81,7 +82,7 @@ Visit the [Windows Hello for Business Videos](./hello-videos.md) page and watch When non-destructive PIN reset is enabled on a client, a 256-bit AES key is generated locally and added to a user's Windows Hello for Business container and keys as the PIN reset protector. This PIN reset protector is encrypted using a public key retrieved from the Microsoft PIN reset service and then stored on the client for later use during PIN reset. After a user initiates a PIN reset, completes authentication to Azure, and completes multifactor authentication, the encrypted PIN reset protector is sent to the Microsoft PIN reset service, decrypted, and returned to the client. The decrypted PIN reset protector is used to change the PIN used to authorize Windows Hello for Business keys and it is then cleared from memory. -Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows 10 devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. +Using Group Policy, Microsoft Intune or a compatible MDM, you can configure Windows devices to securely use the Microsoft PIN reset service that enables users to reset their forgotten PIN through settings or above the lock screen without requiring re-enrollment. >[!IMPORTANT] > The Microsoft PIN Reset service only works with **Enterprise Edition** for Windows 10, version 1709 to 1809. The feature works with **Enterprise Edition** and **Pro** edition with Windows 10, version 1903 and newer. @@ -114,7 +115,7 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se ### Configure Windows devices to use PIN reset using Group Policy -You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. +You can configure Windows to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object. 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory. 1. Edit the Group Policy object from Step 1. @@ -188,6 +189,7 @@ The PIN reset configuration for a user can be viewed by running [**dsregcmd /sta **Applies to:** - Windows 10, version 1803 or later +- Windows 11 - Azure AD joined The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-authentication#authentication-configurewebsigninallowedurls) policy allows you to specify a list of domains that are allowed to be navigated to during PIN reset flows on Azure AD joined devices. If you have a federated environment and authentication is handled using AD FS or a third-party identity provider, this policy should be set to ensure that authentication pages from that identity provider can be used during Azure AD joined PIN reset. diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md index 550cddc3cc..8ed00949b2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md +++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md @@ -22,6 +22,7 @@ ms.reviewer: **Requirements** - Windows 10 +- Windows 11 - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices @@ -36,9 +37,9 @@ Microsoft continues to investigate supporting using keys trust for supplied cred - Cloud only, Hybrid, and On-premises only Windows Hello for Business deployments - Azure AD joined, Hybrid Azure AD joined, and Enterprise joined devices - Biometric enrollments -- Windows 10, version 1809 +- Windows 10, version 1809 or later -Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. +Users using earlier versions of Windows 10 could authenticate to a remote desktop using Windows Hello for Business but were limited to using their PIN as their authentication gesture. Windows 10, version 1809 or later introduces the ability for users to authenticate to a remote desktop session using their Windows Hello for Business biometric gesture. The feature is on by default, so your users can take advantage of it as soon as they upgrade to Windows 10, version 1809. ### How does it work @@ -48,7 +49,7 @@ A certificate on a smart card starts with creating an asymmetric key pair using This same concept applies to Windows Hello for Business. Except, the keys are created using the Microsoft Passport KSP and the user's private key remains protected by the device's security module (TPM) and the user's gesture (PIN/biometric). The certificate APIs hide this complexity. When an application uses a certificate, the certificate APIs locate the keys using the saved key storage provider. The key storage providers directs the certificate APIs on which provider they use to find the private key associated with the certificate. This is how Windows knows you have a smart card certificate without the smart card inserted (and prompts you to insert the smart card). -Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows 10 to prompt the user for their biometric gesture or PIN. +Windows Hello for Business emulates a smart card for application compatibility. Versions of Windows 10 prior to version 1809, would redirect private key access for Windows Hello for Business certificate to use its emulated smart card using the Microsoft Smart Card KSP, which would enable the user to provide their PIN. Windows 10, version 1809 or later no longer redirects private key access for Windows Hello for Business certificates to the Microsoft Smart Card KSP-- it continues using the Microsoft Passport KSP. The Microsoft Passport KSP enabled Windows to prompt the user for their biometric gesture or PIN. ### Compatibility diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md index 1efcc90b24..d6cff27980 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md @@ -18,7 +18,9 @@ ms.reviewer: # Windows Hello for Business and Authentication **Applies to:** -- Windows 10 + +- Windows 10 +- Windows 11 Windows Hello for Business authentication is passwordless, two-factor authentication. Authenticating with Windows Hello for Business provides a convenient sign-in experience that authenticates the user to both Azure Active Directory and Active Directory resources.
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 20008e7565..90f0880e9b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -16,9 +16,10 @@ ms.date: 08/19/2018 ms.reviewer: --- # Windows Hello for Business Provisioning - -Applies to: -- Windows 10 + +**Applies to:** +- Windows 10 +- Windows 11 Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on: - How the device is joined to Azure Active Directory diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md index af9083a431..cae576ab66 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md @@ -19,6 +19,7 @@ ms.reviewer: **Applies to:** - Windows 10 +- Windows 11 - [Attestation Identity Keys](#attestation-identity-keys) - [Azure AD Joined](#azure-ad-joined) @@ -44,15 +45,15 @@ ms.reviewer:
## Attestation Identity Keys -Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. +Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service. > [!NOTE] -> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. +> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK. > The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device. +Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device. -Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate. @@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations [Return to Top](hello-how-it-works-technology.md) ## Cloud Experience Host -In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. +In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC. ### Related topics [Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md) @@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates: - One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service. - The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device. -For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10. +For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11. ### Related topics [Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module) @@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
-Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. +Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. -Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md). +Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md). -Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. +Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0. TPM 2.0 provides a major revision to the capabilities over TPM 1.2: diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 2ad3bb1f3b..2b44b1c81f 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -1,5 +1,5 @@ --- -title: How Windows Hello for Business works (Windows 10) +title: How Windows Hello for Business works (Windows) description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business. ms.prod: w10 ms.mktglfcycl: deploy @@ -16,8 +16,10 @@ ms.topic: article # How Windows Hello for Business works **Applies to** -- Windows 10 -- Windows 10 Mobile + +- Windows 10 +- Windows 11 +- Windows 10 Mobile Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process. @@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec The registration process works like this: -1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. +1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it. 2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends. 3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are: - A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN. -- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. -- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to. +- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to. +- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to. When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM. @@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate ## What’s a container? -You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. +You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account. The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD. From 75c3b4675b176c1571d7469aebeba27b4c893b52 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 14:15:17 +0530 Subject: [PATCH 02/20] Fixing Suggestions Suggestions such as alt text, duplicated h1s and h2s, duplicated descriptions etc --- .../hello-for-business/hello-cert-trust-adfs.md | 8 ++++---- .../hello-cert-trust-policy-settings.md | 3 ++- .../hello-cert-trust-validate-ad-prereq.md | 3 ++- .../hello-for-business/hello-cert-trust-validate-pki.md | 3 ++- .../hello-for-business/hello-how-it-works-provisioning.md | 2 +- .../hello-for-business/retired/hello-how-it-works.md | 2 +- 6 files changed, 12 insertions(+), 9 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index 4f4f37b876..d26226c8e4 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -1,6 +1,6 @@ --- -title: Prepare & Deploy Windows AD FS certificate trust (Windows Hello for Business) -description: How to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. +title: Prepare and Deploy Windows AD FS certificate trust (Windows Hello for Business) +description: Learn how to Prepare and Deploy Windows Server 2016 Active Directory Federation Services (AD FS) for Windows Hello for Business, using certificate trust. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy @@ -124,7 +124,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. 8. Click **Next** on the **Active Directory Federation Service** page. 9. Click **Install** to start the role installation. -## Review +## Review & validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: @@ -266,7 +266,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th 3. In the details pane, click **Configure Device Registration**. 4. In the **Configure Device Registration** dialog, click **OK**. -## Review +## Review to validate Before you continue with the deployment, validate your deployment progress by reviewing the following items: * Confirm you followed the correct procedures based on the domain controllers used in your deployment. diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md index 3ce38ae8f6..4f529da2a1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/20/2018 ms.reviewer: --- -# Configure Windows Hello for Business Policy settings +# Configure Windows Hello for Business Policy settings - Certificate Trust **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md index d62bda3427..f468cbe23f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate Active Directory prerequisites +# Validate Active Directory prerequisites for cert-trust deployment **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index d84ad9c32f..2f2d3bcf5b 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -16,9 +16,10 @@ localizationpriority: medium ms.date: 08/19/2018 ms.reviewer: --- -# Validate and Configure Public Key Infrastructure +# Validate and Configure Public Key Infrastructure - Certificate Trust Model **Applies to** + - Windows 10, version 1703 or later - Windows 11 - On-premises deployment diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md index 90f0880e9b..9e1ddf66b7 100644 --- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md +++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md @@ -49,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong, [Return to top](#windows-hello-for-business-provisioning) ## Azure AD joined provisioning in a Federated environment -![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png) +![Azure AD joined provisioning in Managed environment.](images/howitworks/prov-aadj-federated.png) | Phase | Description | | :----: | :----------- | diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md index 2b44b1c81f..d90093aab8 100644 --- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md +++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md @@ -13,7 +13,7 @@ ms.reviewer: manager: dansimp ms.topic: article --- -# How Windows Hello for Business works +# How Windows Hello for Business works in Windows devices **Applies to** From 93b77fca971d73b76d5df146ada3835a09ffbc77 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 7 Sep 2021 14:19:32 +0530 Subject: [PATCH 03/20] Fixing suggestion --- .../hello-for-business/hello-cert-trust-adfs.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index d26226c8e4..958d349b3e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -16,7 +16,7 @@ localizationpriority: medium ms.date: 01/14/2021 ms.reviewer: --- -# Prepare and Deploy Windows Server 2016 Active Directory Federation Services +# Prepare and Deploy Windows Server 2016 Active Directory Federation Services - Certificate Trust **Applies to** From e2ad7e35ae5f66b43c5d4cf46db0cdbf844ea465 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Tue, 14 Sep 2021 09:51:04 +0530 Subject: [PATCH 04/20] Update feature-multifactor-unlock --- .../hello-for-business/feature-multifactor-unlock.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md index 2fe1b87295..d1e93b59ef 100644 --- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md +++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md @@ -94,13 +94,13 @@ You represent signal rules in XML. Each signal rule has an starting and ending ``` ### Signal element -Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values. +Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values. |Attribute|Value| |---------|-----| -| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)| -| type| "wifi" (Windows 10, version 1803) +| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later| +| type| "wifi" (Windows 10, version 1803 or later) #### Bluetooth You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>". @@ -222,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where #### Wi-Fi **Applies to:** -- Windows 10, version 1803 +- Windows 10, version 1803 or later You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements. @@ -324,7 +324,7 @@ This example configures the same as example 2 using compounding And elements. T ``` #### Example 4 -This example configures Wi-Fi as a trusted signal (Windows 10, version 1803) +This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later) ```xml From d2a3c13010c578450d228d9b74ba113faa0d3605 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:05:52 +0530 Subject: [PATCH 05/20] Create policy-csp-admx-framepanes.md --- .../mdm/policy-csp-admx-framepanes.md | 193 ++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-framepanes.md diff --git a/windows/client-management/mdm/policy-csp-admx-framepanes.md b/windows/client-management/mdm/policy-csp-admx-framepanes.md new file mode 100644 index 0000000000..b6c506ddd9 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-framepanes.md @@ -0,0 +1,193 @@ +--- +title: Policy CSP - ADMX_FramePanes +description: Policy CSP - ADMX_FramePanes +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/14/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_FramePanes +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_FramePanes policies + +
+
+ ADMX_FramePanes/NoReadingPane +
+
+ ADMX_FramePanes/NoPreviewPane +
+
+ + +
+ + +**ADMX_FramePanes/NoReadingPane** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +This policy setting shows or hides the Details Pane in File Explorer. + +- If you enable this policy setting and configure it to hide the pane, the Details Pane in File Explorer is hidden and cannot be turned on by the user. + +- If you enable this policy setting and configure it to show the pane, the Details Pane is always visible and cannot be hidden by the user. + +> [!NOTE] +> This has a side effect of not being able to toggle to the Preview Pane since the two cannot be displayed at the same time. + +- If you disable, or do not configure this policy setting, the Details Pane is hidden by default and can be displayed by the user. + +This is the default policy setting. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn on or off details pane* +- GP name: *NoReadingPane* +- GP path: *Windows Components\File Explorer\Explorer Frame Pane* +- GP ADMX file name: *FramePanes.admx* + + + +
+ + +**ADMX_FramePanes/NoPreviewPane** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * User + +
+ + + +Hides the Preview Pane in File Explorer. + +- If you enable this policy setting, the Preview Pane in File Explorer is hidden and cannot be turned on by the user. + +- If you disable, or do not configure this setting, the Preview Pane is hidden by default and can be displayed by the user. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Turn off Preview Pane* +- GP name: *NoPreviewPane* +- GP path: *Windows Components\File Explorer\Explorer Frame Pane* +- GP ADMX file name: *FramePanes.admx* + + + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + From 560e60cc6449ec8a09d5b95e67d886d9ce848c00 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:05:57 +0530 Subject: [PATCH 06/20] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index a394943879..82b6038a3e 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1177,6 +1177,16 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC +### ADMX_FramePanes policies +
+
+ ADMX_FramePanes/NoReadingPane +
+
+ ADMX_FramePanes/NoPreviewPane +
+
+ ### ADMX_Help policies
From 0f8d5166f662c84f4814ec1755847d82bcd26ab2 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 12:29:27 +0530 Subject: [PATCH 07/20] Updated --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 2 ++ windows/client-management/mdm/toc.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index c4eba79f3d..86ae6b3e10 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -291,6 +291,8 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) - [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) +- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) +- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 4395fbc920..76433d4d19 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -483,6 +483,8 @@ items: href: policy-csp-admx-filesys.md - name: ADMX_FolderRedirection href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy From 58d4a0a3a9f6446ac95c4dbbcea047e75ff565eb Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 18:47:06 +0530 Subject: [PATCH 08/20] Updated --- .../mdm/policies-in-policy-csp-admx-backed.md | 1 + .../mdm/policy-csp-admx-fthsvc.md | 116 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 119 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-fthsvc.md diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 86ae6b3e10..0c20f673c6 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -293,6 +293,7 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) - [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) - [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) +- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc-wdiscenarioexecutionpolicy.md#admx-fthsvc-wdiscenarioexecutionpolicy) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) diff --git a/windows/client-management/mdm/policy-csp-admx-fthsvc.md b/windows/client-management/mdm/policy-csp-admx-fthsvc.md new file mode 100644 index 0000000000..8790ac9ad7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-fthsvc.md @@ -0,0 +1,116 @@ +--- +title: Policy CSP - ADMX_FTHSVC +description: Policy CSP - ADMX_FTHSVC +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/15/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_FTHSVC +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_FTHSVC policies + +
+
+ ADMX_FTHSVC/WdiScenarioExecutionPolicy +
+
+ +
+ + +**ADMX_FTHSVC/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting permits or prohibits the Diagnostic Policy Service (DPS) from automatically resolving any heap corruption problems. + +- If you enable this policy setting, the DPS detects, troubleshoots, and attempts to resolve automatically any heap corruption problems. + +- If you disable this policy setting, Windows cannot detect, troubleshoot, and attempt to resolve automatically any heap corruption problems that are handled by the DPS. +If you do not configure this policy setting, the DPS enables Fault Tolerant Heap for resolution by default. +This policy setting takes effect only if the diagnostics-wide scenario execution policy is not configured. +This policy setting takes effect only when the Diagnostic Policy Service is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. +The DPS can be configured with the Services snap-in to the Microsoft Management Console. +No system restart or service restart is required for this policy setting to take effect: changes take effect immediately. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Configure Scenario Execution Level* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Fault Tolerant Heap* +- GP ADMX file name: *FTHSVC.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 76433d4d19..dc49d0d690 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -485,6 +485,8 @@ items: href: policy-csp-admx-folderredirection.md - name: ADMX_FramePanes href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy From fd963bd7d8b4b73be47820e7aeb6e7135d0623e2 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 18:52:33 +0530 Subject: [PATCH 09/20] Update policy-configuration-service-provider.md --- .../mdm/policy-configuration-service-provider.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 82b6038a3e..584f15a4e5 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1187,6 +1187,7 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_FTHSVC policies ### ADMX_Help policies
From 61904effb4d5e4481def041491234225329684e8 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Wed, 15 Sep 2021 19:39:05 +0530 Subject: [PATCH 10/20] Updated --- .../policy-configuration-service-provider.md | 13 ++ .../mdm/policy-csp-admx-hotspotauth.md | 115 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-hotspotauth.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 584f15a4e5..4496c8609f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1188,6 +1188,12 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
### ADMX_FTHSVC policies +
+
+ ADMX_FTHSVC/WdiScenarioExecutionPolicy +
+
+ ### ADMX_Help policies
@@ -1204,6 +1210,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_HotSpotAuth policies +
+
+ ADMX_HotSpotAuth/HotspotAuth_Enable +
+
+ ### ADMX_Globalization policies
diff --git a/windows/client-management/mdm/policy-csp-admx-hotspotauth.md b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md new file mode 100644 index 0000000000..17e85306fc --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-hotspotauth.md @@ -0,0 +1,115 @@ +--- +title: Policy CSP - ADMX_HotSpotAuth +description: Policy CSP - ADMX_HotSpotAuth +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/15/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_HotSpotAuth +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_HotSpotAuth policies + +
+
+ ADMX_HotSpotAuth/HotspotAuth_Enable +
+
+ +
+ + +**ADMX_HotSpotAuth/HotspotAuth_Enable** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting defines whether WLAN hotspots are probed for Wireless Internet Service Provider roaming (WISPr) protocol support. + +- If a WLAN hotspot supports the WISPr protocol, users can submit credentials when manually connecting to the network. + +- If authentication is successful, users will be connected automatically on subsequent attempts. Credentials can also be configured by network operators. + +- If you enable this policy setting, or if you do not configure this policy setting, WLAN hotspots are automatically probed for WISPR protocol support. + +- If you disable this policy setting, WLAN hotspots are not probed for WISPr protocol support, and users can only authenticate with WLAN hotspots using a web browser. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Enable Hotspot Authentication* +- GP name: *HotspotAuth_Enable* +- GP path: *Network\Hotspot Authentication* +- GP ADMX file name: *HotSpotAuth.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + From 266f215617500b3a9497e5600814d25b7b23c2e2 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 16 Sep 2021 17:37:38 +0530 Subject: [PATCH 11/20] 5402449-Localpoliciessecurityoptions: Updated Missing Documentation Added missing documentation (MicrosoftNetworkClient_DigitallySignCommunicationsAlways) in Policy CSP - LocalPoliciesSecurityOptions - Windows Client Management | Microsoft Docs. --- ...policy-csp-localpoliciessecurityoptions.md | 1090 +++++++++++------ 1 file changed, 729 insertions(+), 361 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index c004295d70..50d1696f71 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1,6 +1,6 @@ --- title: Policy CSP - LocalPoliciesSecurityOptions -description: These settings prevents users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. +description: These settings prevent users from adding new Microsoft accounts on a specific computer using LocalPoliciesSecurityOptions. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -69,6 +69,9 @@ manager: dansimp
LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior
+
+ LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways +
LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees
@@ -173,28 +176,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -245,28 +254,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -322,28 +337,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -385,28 +406,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -448,28 +475,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -512,28 +545,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -576,28 +615,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -642,28 +687,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -705,28 +756,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -772,28 +829,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -843,29 +906,34 @@ Valid values: - - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -917,28 +985,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -991,28 +1065,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1058,28 +1138,34 @@ Valid values: From 0 to 599940, where the value is the amount of inactivity time - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1123,28 +1209,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1186,28 +1278,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1254,6 +1352,88 @@ GP Info: - GP Friendly name: *Interactive logon: Smart card removal behavior* - GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + + +
+ + +**LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsAlways** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProYesYes
BusinessYesYes
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Microsoft network client: Digitally sign communications (always) + +This security setting determines whether packet signing is required by the SMB client component. The server message block (SMB) protocol provides the basis for Microsoft file and print sharing and many other networking operations, such as remote Windows administration. To prevent man-in-the-middle attacks that modify SMB packets in transit, the SMB protocol supports the digital signing of SMB packets. This policy setting determines whether SMB packet signing must be negotiated before further communication with an SMB server is permitted. + +If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. + +Default: Disabled. + +>[!Important] +>For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). + +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. + +On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. + +SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136." + + + +GP Info: +- GP Friendly name: *Microsoft network client: Digitally sign communications (always)* +- GP path: *Windows Settings/Security Settings/Local Policies/Security Options* + @@ -1265,28 +1445,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1313,14 +1499,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. -Notes +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. + SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. @@ -1341,28 +1529,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1404,28 +1598,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
@@ -1482,28 +1682,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1533,21 +1739,21 @@ Default: Disabled for member servers. Enabled for domain controllers. -Notes +>[!Note] +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. + +On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -All Windows operating systems support both a client-side SMB component and a server-side SMB component. On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. -Important - -For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: -Microsoft network server: Digitally sign communications (if server agrees) +>[!Important] +>For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature @@ -1570,28 +1776,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1618,18 +1830,19 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. -Important +>[!Important] +>For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature +>[!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. -Notes - -All Windows operating systems support both a client-side SMB component and a server-side SMB component. For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. + SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. @@ -1650,28 +1863,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1702,9 +1921,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. -Important - -This policy has no impact on domain controllers. +>[!Important] +>This policy has no impact on domain controllers. @@ -1723,28 +1941,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1786,28 +2010,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1849,28 +2079,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -1912,28 +2148,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -1979,28 +2221,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2047,28 +2295,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2115,28 +2369,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2169,9 +2429,8 @@ Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). -Important - -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. +>[!Important] +>This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. Default: @@ -2198,28 +2457,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2266,28 +2531,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2334,28 +2605,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2408,28 +2685,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2487,28 +2770,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2566,28 +2855,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2645,28 +2940,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2719,28 +3020,34 @@ Valid values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -2784,28 +3091,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2858,27 +3171,34 @@ Valid values: - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -2934,28 +3254,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3002,28 +3328,34 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -3067,28 +3399,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3132,28 +3470,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3204,28 +3548,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3272,28 +3622,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
@@ -3337,28 +3693,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark4YesYes
Businesscheck mark4YesYes
Enterprisecheck mark4YesYes
Educationcheck mark4YesYes
@@ -3402,28 +3764,34 @@ GP Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark3YesYes
Businesscheck mark3YesYes
Enterprisecheck mark3YesYes
Educationcheck mark3YesYes
From 7c37664b9388f7c81a84bb0434f03751f36b618f Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 11:59:52 +0530 Subject: [PATCH 12/20] Updated the file as per feedback and suggestions --- ...policy-csp-localpoliciessecurityoptions.md | 115 +++++++----------- 1 file changed, 41 insertions(+), 74 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 50d1696f71..256a265ebe 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -666,9 +666,8 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled -Note - -This setting does not affect the ability to add a local printer. This setting does not affect Administrators. +[!Note] +>This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1412,21 +1411,16 @@ This security setting determines whether packet signing is required by the SMB c If this setting is enabled, the Microsoft network client will not communicate with a Microsoft network server unless that server agrees to perform SMB packet signing. If this policy is disabled, SMB packet signing is negotiated between the client and server. -Default: Disabled. - ->[!Important] ->For this policy to take effect on computers running Windows 2000, client-side packet signing must also be enabled. To enable client-side SMB packet signing, set Microsoft network client: Digitally sign communications (if server agrees). +Default: Disabled. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later operating systems, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136." +>All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1500,17 +1494,15 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +>If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1734,30 +1726,18 @@ The server message block (SMB) protocol provides the basis for Microsoft file an If this setting is enabled, the Microsoft network server will not communicate with a Microsoft network client unless that client agrees to perform SMB packet signing. If this setting is disabled, SMB packet signing is negotiated between the client and server. -Default: - -Disabled for member servers. -Enabled for domain controllers. +Default: Disabled for member servers. Enabled for domain controllers. >[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -On Windows 2000 and later, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. - -Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. -If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. - ->[!Important] ->For this policy to take effect on computers running Windows 2000, server-side packet signing must also be enabled. To enable server-side SMB packet signing, set the following policy: Microsoft network server: Digitally sign communications (if server agrees) - -For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the Windows 2000 server: -HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +>All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> +>Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +>If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1830,21 +1810,16 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Important] ->For Windows 2000 servers to negotiate signing with Windows NT 4.0 clients, the following registry value must be set to 1 on the server running Windows 2000: HKLM\System\CurrentControlSet\Services\lanmanserver\parameters\enableW9xsecuritysignature - >[!Note] -> All Windows operating systems support both a client-side SMB component and a server-side SMB component. - -For Windows 2000 and above, enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: -- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. -- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. -- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. -- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. -If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. - -SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: https://go.microsoft.com/fwlink/?LinkID=787136. +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +>- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +>- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +>- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +>- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +>If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -2347,11 +2322,6 @@ This security setting determines if, at the next password change, the LAN Manage Default on Windows Vista and above: Enabled Default on Windows XP: Disabled. -Important - -Windows 2000 Service Pack 2 (SP2) and above offer compatibility with authentication to previous versions of Windows, such as Microsoft Windows NT 4.0. -This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP, and the Windows Server 2003 family to communicate with computers running Windows 95 and Windows 98. - GP Info: @@ -2429,12 +2399,9 @@ Send NTLMv2 response only\refuse LM: Clients use NTLMv2 authentication only and Send NTLMv2 response only\refuse LM and NTLM: Clients use NTLMv2 authentication only and use NTLMv2 session security if the server supports it; domain controllers refuse LM and NTLM (accept only NTLMv2 authentication). ->[!Important] ->This setting can affect the ability of computers running Windows 2000 Server, Windows 2000 Professional, Windows XP Professional, and the Windows Server 2003 family to communicate with computers running Windows NT 4.0 and earlier over the network. For example, at the time of this writing, computers running Windows NT 4.0 SP4 and earlier did not support NTLMv2. Computers running Windows 95 and Windows 98 did not support NTLM. - Default: -Windows 2000 and windows XP: send LM and NTLM responses +windows XP: send LM and NTLM responses Windows Server 2003: Send NTLM response only @@ -2510,7 +2477,7 @@ This security setting allows a client device to require the negotiation of 128-b Default: -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. +Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption. @@ -2584,7 +2551,7 @@ Require 128-bit encryption. The connection will fail if strong encryption (128-b Default: -Windows XP, Windows Vista, Windows 2000 Server, Windows Server 2003, and Windows Server 2008: No requirements. +Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008: No requirements. Windows 7 and Windows Server 2008 R2: Require 128-bit encryption From 49b4a83d17ed83c4e1f61f4544e85791a83a355a Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 13:38:48 +0530 Subject: [PATCH 13/20] Update policy-csp-localpoliciessecurityoptions.md --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 256a265ebe..d88347f9e1 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -666,7 +666,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled -[!Note] +>[!Note] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1420,7 +1420,7 @@ Default: Disabled. >- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. >- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md) . @@ -1502,7 +1502,7 @@ Default: Enabled. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). @@ -1737,7 +1737,7 @@ Default: Disabled for member servers. Enabled for domain controllers. > >Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. >If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). @@ -1819,7 +1819,7 @@ Default: Enabled on domain controllers only. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://docs.microsoft.com/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). From d70fd37e67aed91bc008ce627d19382c79460e95 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 16:03:20 +0530 Subject: [PATCH 14/20] updated --- .../policy-configuration-service-provider.md | 9 ++ .../mdm/policy-csp-admx-iis.md | 113 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 124 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-iis.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 4496c8609f..2cfb72007a 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1528,6 +1528,15 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_IIS policies +
+
+ ADMX_IIS/PreventIISInstall +
+
+ ### ADMX_kdc policies
diff --git a/windows/client-management/mdm/policy-csp-admx-iis.md b/windows/client-management/mdm/policy-csp-admx-iis.md new file mode 100644 index 0000000000..7516b56b97 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-iis.md @@ -0,0 +1,113 @@ +--- +title: Policy CSP - ADMX_IIS +description: Policy CSP - ADMX_IIS +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/17/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_IIS +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_IIS policies + +
+
+ ADMX_IIS/PreventIISInstall +
+
+ +
+ + +**ADMX_IIS/PreventIISInstall** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting prevents installation of Internet Information Services (IIS) on this computer. + +- If you enable this policy setting, Internet Information Services (IIS) cannot be installed, and you will not be able to install Windows components or applications that require IIS. Users installing Windows components or applications that require IIS might not receive a warning that IIS cannot be installed because of this Group Policy setting. + +Enabling this setting will not have any effect on IIS if IIS is already installed on the computer. + +- If you disable or do not configure this policy setting, IIS can be installed, as well as all the programs and applications that require IIS to run." + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP Friendly name: *Prevent IIS installation* +- GP name: *PreventIISInstall* +- GP path: *Windows Components\Internet Information Services* +- GP ADMX file name: *IIS.admx* + + + + +
+ +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index dc49d0d690..eb0e3b7e08 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -497,6 +497,8 @@ items: href: policy-csp-admx-helpandsupport.md - name: ADMX_ICM href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos From 97f0f2cbc2c4c6d4b83bf7e0568ac69b636c2a86 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Fri, 17 Sep 2021 16:13:34 +0530 Subject: [PATCH 15/20] Update policies-in-policy-csp-admx-backed.md --- .../mdm/policies-in-policy-csp-admx-backed.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 0c20f673c6..912040f409 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -293,7 +293,7 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) - [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) - [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) -- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc-wdiscenarioexecutionpolicy.md#admx-fthsvc-wdiscenarioexecutionpolicy) +- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) @@ -395,6 +395,7 @@ ms.date: 10/08/2020 - [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) +- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) From b7c667953575042501de18ba86e0c22a6246c1a6 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 16:15:59 +0530 Subject: [PATCH 16/20] Link fix --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index d88347f9e1..798ae71573 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1420,7 +1420,7 @@ Default: Disabled. >- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. >- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md) . +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). From 6cba995ed1bda001c06e601136dd13bb81120a94 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Fri, 17 Sep 2021 16:21:33 +0530 Subject: [PATCH 17/20] link fixes-part-2 --- .../mdm/policy-csp-localpoliciessecurityoptions.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 798ae71573..1c0cdcacb8 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -1502,7 +1502,7 @@ Default: Enabled. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1737,7 +1737,7 @@ Default: Disabled for member servers. Enabled for domain controllers. > >Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. >If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +>SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1819,7 +1819,7 @@ Default: Enabled on domain controllers only. >If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > >SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](https://github.com/MicrosoftDocs/SupportArticles-docs/blob/d3eb07e4942ef66cbb98d8e2a0df5cfb598230a7/support/windows-server/networking/reduced-performance-after-smb-encryption-signing.md). +For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). From 17e9e58a6da94d0f6fb7a861c1e4114600dc80fd Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sat, 18 Sep 2021 15:08:27 +0530 Subject: [PATCH 18/20] updated --- .../policy-configuration-service-provider.md | 7 + .../mdm/policy-csp-admx-leakdiagnostic.md | 123 ++++++++++++++++++ windows/client-management/mdm/toc.yml | 2 + 3 files changed, 132 insertions(+) create mode 100644 windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index 2cfb72007a..c7181e248d 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -1618,6 +1618,13 @@ dfsdiscoverdc">ADMX_DFS/DFSDiscoverDC
+### ADMX_LeakDiagnostic policies +
+
+ ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +
+
+ ### ADMX_LinkLayerTopologyDiscovery policies
diff --git a/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md new file mode 100644 index 0000000000..23ab94d3d1 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-admx-leakdiagnostic.md @@ -0,0 +1,123 @@ +--- +title: Policy CSP - ADMX_LeakDiagnostic +description: Policy CSP - ADMX_LeakDiagnostic +ms.author: dansimp +ms.localizationpriority: medium +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: nimishasatapathy +ms.date: 09/17/2021 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - ADMX_LeakDiagnostic +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## ADMX_LeakDiagnostic policies + +
+
+ ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy +
+
+ + +
+ + +**ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy** + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
EditionWindows 10Windows 11
HomeNoNo
ProNoNo
BusinessNoNo
EnterpriseYesYes
EducationYesYes
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Machine + +
+ + + +This policy setting substitutes custom alert text in the disk diagnostic message shown to users when a disk reports a S.M.A.R.T. fault. + +- If you enable this policy setting, Windows displays custom alert text in the disk diagnostic message. The custom text may not exceed 512 characters. + +- If you disable or do not configure this policy setting, Windows displays the default alert text in the disk diagnostic message. + +No reboots or service restarts are required for this policy setting to take effect: changes take effect immediately. + +This policy setting only takes effect if the Disk Diagnostic scenario policy setting is enabled or not configured and the Diagnostic Policy Service (DPS) is in the running state. When the service is stopped or disabled, diagnostic scenarios are not executed. + +The DPS can be configured with the Services snap-in to the Microsoft Management Console. + +> [!NOTE] +> For Windows Server systems, this policy setting applies only if the Desktop Experience optional component is installed and the Remote Desktop Services role is not installed. + + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + + +ADMX Info: +- GP English name: *Configure custom alert text* +- GP name: *WdiScenarioExecutionPolicy* +- GP path: *System\Troubleshooting and Diagnostics\Disk Diagnostic* +- GP ADMX file name: *LeakDiagnostic.admx* + + + +
+ + + +> [!NOTE] +> These policies are currently only available as part of a Windows Insider release. + + + diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index eb0e3b7e08..5a2779b257 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -507,6 +507,8 @@ items: href: policy-csp-admx-lanmanserver.md - name: ADMX_LanmanWorkstation href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md - name: ADMX_Logon From 47268eeea5d00f6afe4a242f89b7fa5594b80423 Mon Sep 17 00:00:00 2001 From: nimishasatapathy <75668234+nimishasatapathy@users.noreply.github.com> Date: Sat, 18 Sep 2021 15:26:45 +0530 Subject: [PATCH 19/20] Update policies-in-policy-csp-admx-backed.md --- .../client-management/mdm/policies-in-policy-csp-admx-backed.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 912040f409..b3c2dcc841 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -417,6 +417,7 @@ ms.date: 10/08/2020 - [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) - [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) - [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) +- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) From 3e597cfb6b4fc6fcd8e76cc290bf152ec2b9661d Mon Sep 17 00:00:00 2001 From: Diana Hanson Date: Mon, 20 Sep 2021 09:30:01 -0600 Subject: [PATCH 20/20] Update policies-in-policy-csp-admx-backed.md fixed link syntax --- .../mdm/policies-in-policy-csp-admx-backed.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index c31aaee266..2dbb97d08c 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -284,7 +284,7 @@ ms.date: 10/08/2020 - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) -- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) +- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) - [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption) - [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled) - [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings) @@ -1766,4 +1766,4 @@ ms.date: 10/08/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +[Policy CSP](policy-configuration-service-provider.md)