Merge branch 'master' into repo_sync_working_branch

2025-05-14 22:37:22 +00:00 · 2020-09-28 14:10:36 -07:00 · 2020-09-28 14:10:36 -07:00 · c2fe36a737
commit c2fe36a737
parent 7ca3d5bcca 5ca7cc1902
9 changed files with 18 additions and 177 deletions
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@ -1557,13 +1557,13 @@ Additional lists:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table>
--- a/windows/client-management/mdm/networkqospolicy-csp.md
+++ b/windows/client-management/mdm/networkqospolicy-csp.md
@ -25,7 +25,7 @@ The following actions are supported:
 - Layer 3 tagging using a differentiated services code point (DSCP) value
 > [!NOTE]
-> The NetworkQoSPolicy configuration service provider is supported only in Microsoft Surface Hub.
+> The NetworkQoSPolicy configuration service provider is officially supported for devices that are Intune managed and Azure AD joined. Currently, this CSP is not supported on Azure AD Hybrid joined devices and for devices using GPO and CSP at the same time. The minimum operating system requirement for this CSP is Windows 10, version 2004. This CSP is supported only in Microsoft Surface Hub prior to Window 10, version 2004.
 The following diagram shows the NetworkQoSPolicy configuration service provider in tree format.
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@ -1996,6 +1996,7 @@ How do I turn if off? | The service can be stopped from the "Services" console o
 ### September 2020
 |New or updated topic | Description|
 |--- | ---|
 |[NetworkQoSPolicy CSP](networkqospolicy-csp.md)|Updated support information of the NetworkQoSPolicy CSP.|
 |[Policy CSP - LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md)|Removed the following unsupported LocalPoliciesSecurityOptions policy settings from the documentation:<br>- RecoveryConsole_AllowAutomaticAdministrativeLogon <br>- DomainMember_DigitallyEncryptOrSignSecureChannelDataAlways<br>- DomainMember_DigitallyEncryptSecureChannelDataWhenPossible<br>- DomainMember_DisableMachineAccountPasswordChanges<br>- SystemObjects_RequireCaseInsensitivityForNonWindowsSubsystems<br>|
 ### August 2020
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -1014,9 +1014,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 ### ADMX_Sharing policies
 <dl>
  <dd>
    <a href="./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup" id="admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
  </dd>
  <dd>
    <a href="./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing" id="admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-admx-sharing.md
+++ b/windows/client-management/mdm/policy-csp-admx-sharing.md
@ -22,9 +22,6 @@ manager: dansimp
 ## ADMX_Sharing policies  
 <dl>
  <dd>
    <a href="#admx-sharing-disablehomegroup">ADMX_Sharing/DisableHomeGroup</a>
  </dd>
  <dd>
    <a href="#admx-sharing-noinplacesharing">ADMX_Sharing/NoInplaceSharing</a>
  </dd>
@ -32,80 +29,6 @@ manager: dansimp
 <hr/>
 <!--Policy-->
 <a href="" id="admx-sharing-disablehomegroup"></a>**ADMX_Sharing/DisableHomeGroup**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Available in Windows 10 Insider Preview Build 20185. This policy setting specifies whether users can add computers to a homegroup. By default, users can add their computer to a homegroup on a private network.
 If you enable this policy setting, users cannot add computers to a homegroup. This policy setting does not affect other network sharing features.
 If you disable or do not configure this policy setting, users can add computers to a homegroup. However, data on a domain-joined computer is not shared with the homegroup.
 This policy setting is not configured by default.
 You must restart the computer for this policy setting to take effect.
 <!--/Description-->
 > [!TIP]
 > This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md).
 > 
 > You must specify the data type in the SyncML as &lt;Format&gt;chr&lt;/Format&gt;. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy).
 > 
 > The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
 <!--ADMXBacked-->
 ADMX Info:  
 -   GP English name: *Prevent the computer from joining a homegroup*
 -   GP name: *DisableHomeGroup*
 -   GP path: *Windows Components\HomeGroup*
 -   GP ADMX file name: *Sharing.admx*
 <!--/ADMXBacked-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="admx-sharing-noinplacesharing"></a>**ADMX_Sharing/NoInplaceSharing**  
--- a/windows/client-management/mdm/policy-csps-admx-backed.md
+++ b/windows/client-management/mdm/policy-csps-admx-backed.md
@ -254,7 +254,6 @@ ms.date: 08/18/2020
 - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing)
 - [ADMX_SharedFolders/PublishDfsRoots](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishdfsroots)
 - [ADMX_SharedFolders/PublishSharedFolders](./policy-csp-admx-sharedfolders.md#admx-sharedfolders-publishsharedfolders)
 - [ADMX_Sharing/DisableHomeGroup](./policy-csp-admx-sharing.md#admx-sharing-disablehomegroup)
 - [ADMX_Sharing/NoInplaceSharing](./policy-csp-admx-sharing.md#admx-sharing-noinplacesharing)
 - [ADMX_ShellCommandPromptRegEditTools/DisableCMD](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disablecmd)
 - [ADMX_ShellCommandPromptRegEditTools/DisableRegedit](./policy-csp-admx-shellcommandpromptregedittools.md#admx-shellcommandpromptregedittools-disableregedit)
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@ -40,7 +40,7 @@ The following cmdlet will return each detection on the endpoint. If there are mu
 Get-MpThreatDetection
 ```
-![IMAGEALT](images/defender/wdav-get-mpthreatdetection.png)
+![screenshot of PowerShell cmdlets and outputs](images/defender/wdav-get-mpthreatdetection.png)
 You can specify `-ThreatID` to limit the output to only show the detections for a specific threat.
@ -50,7 +50,7 @@ If you want to list threat detections, but combine detections of the same threat
 Get-MpThreat
 ```
-![IMAGEALT](images/defender/wdav-get-mpthreat.png)
+![screenshot of PowerShell](images/defender/wdav-get-mpthreat.png)
 See [Use PowerShell cmdlets to configure and run Microsoft Defender Antivirus](use-powershell-cmdlets-microsoft-defender-antivirus.md) and [Defender cmdlets](https://technet.microsoft.com/itpro/powershell/windows/defender/index) for more information on how to use PowerShell with Microsoft Defender Antivirus.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
@ -22,7 +22,8 @@ Answering frequently asked questions about Microsoft Defender Application Guard
 ## Frequently Asked Questions
-### Can I enable Application Guard on machines equipped with 4GB RAM?                                                                   |
+### Can I enable Application Guard on machines equipped with 4GB RAM?
 We recommend 8GB RAM for optimal performance but you may use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is 4 cores.)                                                   
@ -87,7 +88,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: `
 ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? 
-When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's standalone mode. However, when using Windows Enterprise you will have access to Application Guard's enterprise-managed mode. This mode has some extra features that the standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). 
+When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard). 
 ### Is there a size limit to the domain lists that I need to configure?
@ -95,88 +96,8 @@ Yes, both the enterprise resource domains hosted in the cloud and the domains ca
 ### Why does my encryption driver break Microsoft Defender Application Guard?
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work, and will result in an error message (*0x80070013 ERROR_WRITE_PROTECT*).  
+Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Microsoft Defender Application Guard will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). 
 ### Why do the network isolation policies in Group Policy and CSP look different?
 There is not a one-to-one mapping among all the network isolation policies between CSP and GP. Mandatory network isolation policies to deploy WDAG are different between CSP and GP.
 Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources"
 Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
 For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
 Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (*0x80070013 ERROR_WRITE_PROTECT*). 
 ### Why did Application Guard stop working after I turned off hyperthreading?
-If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility that Microsoft Defender Application Guard no longer meets the minimum requirements. 
+If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. 
 ### Why am I getting the error message ("ERROR_VIRTUAL_DISK_LIMITATION")?
 Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. 
 ### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
 This is a known issue. To mitigate this you need to create two firewall rules.
 For guidance on how to create a firewall rule by using group policy, see:
 - [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
 - [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
 First rule (DHCP Server):
 1. Program path: `%SystemRoot%\System32\svchost.exe`
 2. Local Service: Sid:  `S-1-5-80-2009329905-444645132-2728249442-922493431-93864177`  (Internet Connection Service (SharedAccess))
 3. Protocol UDP
 4. Port 67
 Second rule (DHCP Client)
 This is the same as the first rule, but scoped to local port 68.
 In the Microsoft Defender Firewall user interface go through the following steps:
 1.	Right click on inbound rules, create a new rule.
 2.	Choose **custom rule**.
 3.	Program path: **%SystemRoot%\System32\svchost.exe**.
 4.	Protocol Type: UDP, Specific ports: 67, Remote port: any.
 5.	Any IP addresses.
 6.	Allow the connection.
 7.	All profiles.
 8.	The new rule should show up in the user interface. Right click on the **rule** > **properties**.
 9.	In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
 ### Why can I not launch Application Guard when Exploit Guard is enabled?
 There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to the **use default**.
 ### How can I have ICS in enabled state yet still use Application Guard?
 This is a two step process.
 Step 1:
 Enable Internet Connection sharing by changing the Group Policy setting **Prohibit use of Internet Connection Sharing on your DNS domain network.** This setting is part of the Microsoft security baseline. Change it from **Enabled** to **Disabled**.
 Step 2:
 1. Disable IpNat.sys from ICS load: 
 `System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`.
 2. Configure ICS (SharedAccess) to enabled: 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`.
 3. Disable IPNAT (Optional): 
 `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
 4. Restart the device.
 ### Why doesn't Application Guard work, even though it's enabled through Group Policy?
 Application Guard must meet all these prerequisites to be enabled in Enterprise mode: [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard). 
 To understand why it is not enabled in Enterprise mode, check the status of the evaluation to understand what's missing.
 For CSP (Intune) you can query the status node by using **Get**. This is described in the [Application Guard CSP](https://docs.microsoft.com/windows/client-management/mdm/windowsdefenderapplicationguard-csp). On this page, you will see the **status** node as well as the meaning of each bit.  If the status is not 63, you are missing a prerequisite.
 For Group Policy you need to look at the registry. See **Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP** Status. The meaning of each bit is the same as the CSP.
 ### I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this?
 WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
 1.	Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
 2.	Reboot the device.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@ -43,8 +43,8 @@ Application Guard has been created to target several types of systems:
 ## Related articles
-|Article | Description |
+|Article |Description |
-|--------|-------------|
+|------|------------|
 |[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
 |[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
 |[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|