deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-28 16:53:40 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into AMoD-Remove-hyphen-adverb

Browse Source
This commit is contained in:
Angela Fleischmann
2022-09-14 16:23:04 -06:00
committed by GitHub
parent dbd5412fcc 5ebc3e52ce
commit c28aa48f6b
5 changed files with 24 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
education/windows/windows-11-se-overview.md
View File

@ -102,6 +102,7 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| eTests | 4.0.25 | Win32 | CASAS | | eTests | 4.0.25 | Win32 | CASAS |
| FortiClient | 7.0.1.0083 | Win32 | Fortinet | | FortiClient | 7.0.1.0083 | Win32 | Fortinet |
| Free NaturalReader | 16.1.2 | Win32 | Natural Soft | | Free NaturalReader | 16.1.2 | Win32 | Natural Soft |
| Ghotit | 10.14.2.3 | Win32 | Ghotit Ltd |
| GoGuardian | 1.4.4 | Win32 | GoGuardian | | GoGuardian | 1.4.4 | Win32 | GoGuardian |
| Google Chrome | 102.0.5005.115 | Win32 | Google | | Google Chrome | 102.0.5005.115 | Win32 | Google |
| Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education | | Illuminate Lockdown Browser | 2.0.5 | Win32 | Illuminate Education |

4
windows/client-management/mdm/windowsdefenderapplicationguard-csp.md
View File

@ -322,10 +322,8 @@ Supported operation is Get.
- Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. - Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
- Bit 1 - Set to 1 when the client machine is Hyper-V capable. - Bit 1 - Set to 1 when the client machine is Hyper-V capable.
- Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. - Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
- Bit 3 - Set to 1 when Application Guard installed on the client machine. - Bit 3 - Set to 1 when Application Guard is installed on the client machine.
- Bit 4 - Set to 1 when required Network Isolation Policies are configured. - Bit 4 - Set to 1 when required Network Isolation Policies are configured.
> [!IMPORTANT]
> If you are deploying Application Guard via Intune, Network Isolation Policy must be configured to enable Application Guard for Microsoft Edge.
- Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. - Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
- Bit 6 - Set to 1 when system reboot is required. - Bit 6 - Set to 1 when system reboot is required.

19
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -1,18 +1,15 @@
--- ---
title: System requirements for Microsoft Defender Application Guard title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security ms.prod: windows-client
ms.mktglfcycl: manage ms.technology: itpro-security
ms.sitesec: library ms.topic: overview
ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
author: denisebmsft author: vinaypamnani-msft
ms.author: deniseb ms.author: vinpa
ms.date: 08/25/2022 ms.date: 08/25/2022
ms.reviewer: ms.reviewer: sazankha
manager: dansimp manager: aaroncz
ms.custom: asr
ms.technology: windows-sec
--- ---
# System requirements for Microsoft Defender Application Guard # System requirements for Microsoft Defender Application Guard
@ -48,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description | | Software | Description |
|--------|-----------| |--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or higher <br/> Windows 10 Professional edition, version 1809 or higher <br/> Windows 10 Professional for Workstations edition, version 1809 or higher <br/> Windows 10 Professional Education edition, version 1809 or higher <br/> Windows 10 Education edition, version 1809 or higher <br/> Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions. <br/> Windows 11 Education, Enterprise, and Professional | | Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge | | Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | | Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Endpoint Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. |

2
windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
View File

@ -31,7 +31,7 @@ ms.technology: windows-sec
## Using fsutil to query SmartLocker EA ## Using fsutil to query SmartLocker EA
Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the EAs on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events. Customers using Windows Defender Application Control (WDAC) with Managed Installer (MI) or Intelligent Security Graph (ISG) enabled can use fsutil to determine whether a file was allowed to run by one of these features. This verification can be done by querying the Extended Attributes (EAs) on a file using fsutil and looking for the KERNEL.SMARTLOCKER.ORIGINCLAIM EA. The presence of this EA indicates that either MI or ISG allowed the file to run. This EA's presence can be used in conjunction with enabling the MI and ISG logging events.
**Example:** **Example:**

27
windows/security/threat-protection/windows-defender-application-control/deployment/deploy-windows-defender-application-control-policies-using-intune.md
View File

@ -1,21 +1,16 @@
--- ---
title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows) title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide. description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
keywords: security, malware ms.prod: windows-client
ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.technology: itpro-security
ms.prod: m365-security
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium ms.localizationpriority: medium
audience: ITPro
ms.collection: M365-security-compliance ms.collection: M365-security-compliance
author: jsuther1974 author: jsuther1974
ms.reviewer: isbrahm ms.reviewer: isbrahm
ms.author: dansimp ms.author: vinpa
manager: dansimp manager: aaroncz
ms.date: 06/27/2022 ms.date: 06/27/2022
ms.technology: windows-sec ms.topic: how-to
--- ---
# Deploy WDAC policies using Mobile Device Management (MDM) # Deploy WDAC policies using Mobile Device Management (MDM)
@ -61,13 +56,13 @@ The steps to use Intune's custom OMA-URI functionality are:
1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>` 1. Know a generated policy's GUID, which can be found in the policy xml as `<PolicyID>`
2. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. 2. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 3. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: 4. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy - **OMA-URI**: `./Vendor/MSFT/ApplicationControl/Policies/_Policy GUID_/Policy`
- **Data type**: Base64 - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf. - **Certificate file**: upload your binary format policy file. You don't need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
> [!div class="mx-imgBorder"] > [!div class="mx-imgBorder"]
@ -86,13 +81,13 @@ Upon deletion, policies deployed through Intune via the ApplicationControl CSP a
The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are: The steps to use Intune's Custom OMA-URI functionality to apply the [AppLocker CSP](/windows/client-management/mdm/applocker-csp) and deploy a custom WDAC policy to pre-1903 systems are:
1. Convert the policy XML to binary format using the ConvertFrom-CIPolicy cmdlet in order to be deployed. The binary policy may be signed or unsigned. 1. Convert the policy XML to binary format using the [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) cmdlet in order to be deployed. The binary policy may be signed or unsigned.
2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10). 2. Open the Microsoft Intune portal and [create a profile with custom settings](/mem/intune/configuration/custom-settings-windows-10).
3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings: 3. Specify a **Name** and **Description** and use the following values for the remaining custom OMA-URI settings:
- **OMA-URI**: ./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy) - **OMA-URI**: `./Vendor/MSFT/AppLocker/ApplicationLaunchRestrictions/_Grouping_/CodeIntegrity/Policy`
- **Data type**: Base64 - **Data type**: Base64 (file)
- **Certificate file**: upload your binary format policy file - **Certificate file**: upload your binary format policy file
> [!NOTE] > [!NOTE]