From b56593cebea82935ccd06883cea9646c5ce6edd6 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Tue, 22 Jun 2021 10:48:28 -0700 Subject: [PATCH 01/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 822869ba60..f9382b3938 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -604,34 +604,20 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| -| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** | -| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** | -| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** | -| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** | -| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** | -| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** | -| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** | -| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** | -| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** | -| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** | -| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs | -| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** | -| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** | -| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** | -| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** | +| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SearchSuggestEnabled Set to 0**| +| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillAddressEnabled Set to 0**| +| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillCreditCardEnabled Set to 0**| +| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: ConfigureDoNotTrack Set to 1** | +| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: PasswordManagerEnabled Set to 0**| +| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: DefaultSearchProviderEnabled Set to 0**| +| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: HideFirstRunExperience Set to 1**| +| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SmartScreenEnabled Set to 0**| +| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL
**Set to Enabled-Value “about:blank”**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_SZ name: NewTabPageLocation Set to about:blank**| +| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: RestoreOnStartup Set to 5**| +| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts
**Set to Disabled**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs
**REG_SZ name: 1 Set to about:blank**| +| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default
**Set to Enabled - 'Updates disabled'** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: UpdateDefault Set to 0**| +| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to Enabled - Set Value for Minutes between update checks to 0**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0**| +|**Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to RestrictedMode**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0**| ||| ### 14. Network Connection Status Indicator From 632d4d4b2e038cdc35f91db05f400eb21831feb8 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:29:55 -0700 Subject: [PATCH 02/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Replaced Windows Defender with Microsoft Defender Antivirus and added a GP section for Cloud Clipboard --- ...system-components-to-microsoft-services.md | 68 ++++++++++++------- 1 file changed, 42 insertions(+), 26 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1dec9ad720..d046271409 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -27,13 +27,13 @@ ms.date: 5/21/2021 This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. +> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features. > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. @@ -48,7 +48,7 @@ We are always striving to improve our documentation and welcome your feedback. Y ## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections ### Settings for Windows 10 Enterprise edition @@ -103,7 +103,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -131,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser | [18. Settings > Privacy](#bkmk-settingssection) | | | | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -148,7 +148,7 @@ See the following table for a summary of the management settings for Windows Ser | [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 Nano Server @@ -213,7 +213,7 @@ See the following table for a summary of the management settings for Windows Ser | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | @@ -291,7 +291,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -423,7 +423,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -432,7 +432,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -567,7 +567,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -583,7 +583,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -594,13 +594,13 @@ For a complete list of the Microsoft Edge policies, see [Available policies for ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). > [!Important] -> - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). -> - Devices must be domain joined for some of the policies to take effect. +> - The following settings are applicable to Microsoft Edge version 77 or later. +> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| @@ -913,7 +913,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1616,13 +1616,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 24. Windows Defender +### 24. Microsoft Defender Antivirus You can disconnect from the Microsoft Antimalware Protection Service. > [!IMPORTANT] -> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903** -> 1. Ensure Windows and Windows Defender are fully up to date. +> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903** +> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date. > 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** @@ -1687,21 +1687,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Windows Defender SmartScreen +### 24.1 Microsoft Defender Antivirus SmartScreen -To disable Windows Defender SmartScreen: +To disable Microsoft Defender Antivirus SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- @@ -1930,6 +1930,22 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**. +### 30. Cloud Clipboard + +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + +ADMX Info: + +- GP English name: Allow Clipboard synchronization across devices
+- GP name: AllowCrossDeviceClipboard
+- GP path: System/OS Policies
+- GP ADMX file name: OSPolicy.admx
+ +The following list shows the supported values:
+0 – Not allowed. 1 (default) – Allowed.
+ ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 730d0f752c3ed9916cb428f8c13931e30862f9a3 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:53:50 -0700 Subject: [PATCH 03/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Added Services Config section and Menu links. --- ...erating-system-components-to-microsoft-services.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d046271409..a66e8d0a3a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -109,6 +109,8 @@ The following table lists management options for each setting, beginning with Wi | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -219,6 +221,8 @@ See the following table for a summary of the management settings for Windows Ser | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ## How to configure each setting @@ -1946,6 +1950,13 @@ ADMX Info: The following list shows the supported values:
0 – Not allowed. 1 (default) – Allowed.
+### 31. Services Configuration + +Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working. + +You can turn off Services Configuration by setting the following registry entries: + +Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**. ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 4991d4fcf561c25e7dce64ef278f213db686ca64 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 10:46:21 +0100 Subject: [PATCH 04/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2e5dcae25d..e4aef3529a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -295,7 +295,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -427,7 +427,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -436,7 +436,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| From 7c1681a7cd620e9ac8eee39d242d162a951e8ec0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:08:19 +0100 Subject: [PATCH 05/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ng-system-components-to-microsoft-services.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e4aef3529a..da8ed579e1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -917,7 +917,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1691,21 +1691,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Microsoft Defender Antivirus SmartScreen +### 24.1 Microsoft Defender SmartScreen -To disable Microsoft Defender Antivirus SmartScreen: +To disable Microsoft Defender SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- From 54678d570858669b6ca439c703746fb1b8b40e1c Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:21:30 +0100 Subject: [PATCH 06/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index da8ed579e1..fcadb6f4e3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1936,7 +1936,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre ### 30. Cloud Clipboard -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices. Most restricted value is 0. From 1f240ce9030c321c989cf994b0f7f0ee66954b19 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 11:58:03 +0100 Subject: [PATCH 07/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index fcadb6f4e3..70fa555981 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From f29a09e44a93a349e7d59c8f75aab7761d9b0f1d Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 13:54:30 +0100 Subject: [PATCH 08/23] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 70fa555981..a92f1c32cf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). +> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From 4af1dd1bb58d923162ef3ed4bd2db31dd9b6f844 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:31:37 +0100 Subject: [PATCH 09/23] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a92f1c32cf..8e4e81d422 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -598,7 +598,7 @@ Alternatively, you can configure the following Registry keys as described: ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. From a5b85c2178031c86399f6e13ecad3228660e91e0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:35:00 +0100 Subject: [PATCH 10/23] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8e4e81d422..189ace9071 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -600,7 +600,7 @@ Alternatively, you can configure the following Registry keys as described: For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). -> [!Important] +> [!IMPORTANT] > - The following settings are applicable to Microsoft Edge version 77 or later. > - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). > - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). From 16c3429dde3ae20c6df12d1880ccd6ca53a2f4d3 Mon Sep 17 00:00:00 2001 From: Brent Kendall Date: Wed, 30 Jun 2021 10:21:55 -0700 Subject: [PATCH 11/23] Update system-guard-secure-launch-and-smm-protection.md Clarified that some Intel fTPMs (technically "integrated" TPMs) are now supported. Intel has had an integrated hardware TPM in its CPUs for a while. It is not usually enabled on. They call it Platform Trust Technology or PTT, and it meets the TPM 2.0 spec. OEMs can use this PTT instead of a discrete TPM. The Core i5-10310U is one of these Comet Lake chips with PTT. --- .../system-guard-secure-launch-and-smm-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..161f4fd5cc 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -74,7 +74,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| |--------|-----------| |64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | |SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | @@ -94,4 +94,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | > [!NOTE] -> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). \ No newline at end of file +> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). From a1f4a13defbba1e3dfcf717558f65b571115e66a Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 30 Jun 2021 14:12:35 -0700 Subject: [PATCH 12/23] add note for hololens support --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 7ab4c6bf71..a77a4a7b4f 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. The default value is 1. The following list shows the supported values and actual enforced values: From b937fdf6257ab9c4d561a044765925497305407c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 30 Jun 2021 15:15:40 -0700 Subject: [PATCH 13/23] =?UTF-8?q?Acrolinx/branding:=20"Hololens"=20=C3=97?= =?UTF-8?q?=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- windows/client-management/mdm/policy-csp-devicelock.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index a77a4a7b4f..730e173e27 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -114,7 +114,7 @@ manager: dansimp > [!NOTE] -> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. +> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Specifies whether the user must input a PIN or password when the device resumes from an idle state. @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. The default value is 1. The following list shows the supported values and actual enforced values: @@ -1128,4 +1128,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From bbef9b3f23a7182467866c5df90bd7e1394425b6 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 30 Jun 2021 16:16:50 -0700 Subject: [PATCH 14/23] Update reqs-md-app-guard.md Removed reference to Internet Explorer as a system requirement --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 0c9b491dc5..44f32cf759 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | -|Browser|Microsoft Edge and Internet Explorer| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 542eaaa383f9e87fcc1c2606bb8ffd70fcb8eb33 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 16:14:08 +0530 Subject: [PATCH 15/23] typo correction as per user report #9766, so i corrected the word from **changed** to **cached** --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index b22b8e05fe..18fe88ca82 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -92,7 +92,7 @@ Overwriting the administrator's password does not help the attacker access data Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. -To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. +To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. From 27d7a9cd02f932d40e6a5e722d6671092f8117e4 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 18:01:38 +0530 Subject: [PATCH 16/23] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 44f32cf759..18349a4197 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 6b4189fe304824b70c61b4681204524fb39eabd3 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 08:24:35 -0700 Subject: [PATCH 17/23] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 18349a4197..8bf5dfc2f6 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 974b5a5b213a9aba86d1aae0b77b1efbb0ebdea9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 21:33:13 +0530 Subject: [PATCH 18/23] typo correction as per user report issue #9768 , so i corrected **sevices** to **services** Also i conformed this article is applies to Windows 11 too --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 610728b4d6..86e25cc2f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -46,7 +46,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. 3. Verify that the status for the Application Identity service is **Running**. -Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead: +Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead: - Open an elevated command prompt or PowerShell session and type: From 0c5bca15f4e3f1a61081ba329beb61a8572808a6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:50:54 -0700 Subject: [PATCH 19/23] Update reqs-md-app-guard.md --- .../reqs-md-app-guard.md | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 8bf5dfc2f6..6c335a409f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/11/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing > Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Microsoft Defender Application Guard. -|Hardware|Description| +Your environment must have the following hardware to run Microsoft Defender Application Guard. + +| Hardware | Description | |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| +| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**AND**

One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V | +| Hardware memory | Microsoft requires a minimum of 8GB RAM | +| Hard disk | 5 GB free space, solid state disk (SSD) recommended | +| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended | ## Software requirements -Your environment needs the following software to run Microsoft Defender Application Guard. -|Software|Description| + Your environment must have the following software to run Microsoft Defender Application Guard. + +| Software | Description | |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | -|Browser|Microsoft Edge| -|Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Browser | Microsoft Edge | +| Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | From e34a92f88a10af53856b753b775b2bbca415266f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:52:41 -0700 Subject: [PATCH 20/23] Update configure-the-application-identity-service.md --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 86e25cc2f6..83c7422028 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2018 +ms.date: 07/01/2021 ms.technology: mde --- From 24a79df6c5320bc8da53ba92af570b68a761d4db Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:53:39 -0700 Subject: [PATCH 21/23] Update network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 18fe88ca82..8cdbdc9908 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 07/01/2021 ms.technology: mde --- From 7a6aac68889f4fc06748e6f110749369ee86acd2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:55:20 -0700 Subject: [PATCH 22/23] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 161f4fd5cc..093a5713c8 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp From 65a9dbe20edd26f69af0083803c10263abfce039 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 11:08:09 -0700 Subject: [PATCH 23/23] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..12930a5921 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -38,7 +38,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Configuration](images/secure-launch-group-policy.png) ### Windows Security Center @@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Windows Security Center](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).