From 5230f6b114a9818f522d26a8b5e41eb6072b0e51 Mon Sep 17 00:00:00 2001 From: Justinha Date: Tue, 4 Apr 2017 22:05:11 -0700 Subject: [PATCH 01/14] added overview of threat mitigations and links --- windows/keep-secure/TOC.md | 1 + ...ange-history-for-keep-windows-10-secure.md | 1 + ...tions-for-app-related-security-policies.md | 6 +- ...iew-of-threat-mitigations-in-windows-10.md | 405 ++++++++++++++++++ 4 files changed, 410 insertions(+), 3 deletions(-) create mode 100644 windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md diff --git a/windows/keep-secure/TOC.md b/windows/keep-secure/TOC.md index f0c4a89cb2..a6e97434bf 100644 --- a/windows/keep-secure/TOC.md +++ b/windows/keep-secure/TOC.md @@ -21,6 +21,7 @@ #### [Deploy code integrity policies: steps](deploy-code-integrity-policies-steps.md) #### [Deploy catalog files to support code integrity policies](deploy-catalog-files-to-support-code-integrity-policies.md) ### [Deploy Device Guard: enable virtualization-based security](deploy-device-guard-enable-virtualization-based-security.md) +## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) ## [Protect derived domain credentials with Credential Guard](credential-guard.md) ### [How Credential Guard works](credential-guard-how-it-works.md) ### [Credential Guard Requirements](credential-guard-requirements.md) diff --git a/windows/keep-secure/change-history-for-keep-windows-10-secure.md b/windows/keep-secure/change-history-for-keep-windows-10-secure.md index 050d58019e..fed80ea5b7 100644 --- a/windows/keep-secure/change-history-for-keep-windows-10-secure.md +++ b/windows/keep-secure/change-history-for-keep-windows-10-secure.md @@ -25,6 +25,7 @@ This topic lists new and updated topics in the [Keep Windows 10 secure](index.md |[Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md)|New | |[Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen-available-settings.md)|New | |[Use Windows Defender Security Center to set Windows Defender SmartScreen for individual devices](windows-defender-smartscreen-set-individual-device.md)|New | +|[Overview of threat mitigations in Windows 10](overview-of-threat-mitigations-in-windows-10.md) | Reorganized from existing content, to provide a better overview of threat mitigations. Explains how mitigations in the Enhanced Mitigation Experience Toolkit (EMET) relate to those in Windows 10. | ## January 2017 |New or changed topic |Description | diff --git a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md index 68ad8780c0..e207ba506e 100644 --- a/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/keep-secure/override-mitigation-options-for-app-related-security-policies.md @@ -24,11 +24,11 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: -- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. +- **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). -- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. +- **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md new file mode 100644 index 0000000000..a2adb3c766 --- /dev/null +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -0,0 +1,405 @@ +--- +title: Mitigate threats by using Windows 10 security features (Windows 10) +description: This topic provides an overview of software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +localizationpriority: high +author: justinha +--- + +# Mitigate threats by using Windows 10 security features + +**Applies to:** +- Windows 10 + +This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft, see [Related topics](#related-topics). + +| **Section** | **Contents** | +|--------------|-------------------------| +| [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | +| [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | +| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | +| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | If you've used the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), this section describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. | + +This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: + +Types of defenses in Windows 10 + +*Figure 1.  Device protection and threat resistance as part of the Windows 10 security defenses* + +## The security threat landscape + +Today’s security threat landscape is one of aggressive and tenacious threats. In previous years, malicious attackers mostly focused on gaining community recognition through their attacks or the thrill of of temporarily taking a system offline. Since then, attacker’s motives have shifted toward making money, including holding devices and data hostage until the owner pays the demanded ransom. Modern attacks increasingly focus on large-scale intellectual property theft; targeted system degradation that can result in financial loss; and now even cyberterrorism that threatens the security of individuals, businesses, and national interests all over the world. These attackers are typically highly trained individuals and security experts, some of whom are in the employ of nation states that have large budgets and seemingly unlimited human resources. Threats like these require an approach that can meet this challenge. + +In recognition of this landscape, Windows 10 Creator's Update (Windows 10, version 1703) includes multiple security features that were created to make it difficult (and costly) to find and exploit many software vulnerabilities. These features are designed to: + +- Eliminate entire classes of vulnerabilities + +- Break exploitation techniques + +- Contain the damage and prevent persistence + +- Limit the window of opportunity to exploit + +The following sections provide more detail about security mitigations in Windows 10, version 1703. + +## Windows 10 mitigations that you can configure + +Windows 10 mitigations that you can configure are listed in the following two tables. The first table covers a wide array of protections for devices and users across the enterprise and the second table drills down into specific memory protections such as Data Execution Prevention. Memory protection options provide specific mitigations against malware that attempts to manipulate memory in order to gain control of a system. + +**Table 1  Windows 10 mitigations that you can configure** + +| Mitigation and corresponding threat | Description and links | +|---|---| +| **Windows Defender SmartScreen**
helps prevent
malicious applications
from being downloaded | Windows Defender SmartScreen can check the reputation of a downloaded application by using a service that Microsoft maintains. The first time a user runs an app that originates from the Internet (even if the user copied it from another PC), SmartScreen checks to see if the app lacks a reputation or is known to be malicious, and responds accordingly.

**More information**: [Windows Defender SmartScreen](#windows-defender-smartscreen), later in this topic | +| **Credential Guard**
helps keep attackers
from gaining access through
Pass-the-Hash or
Pass-the-Ticket attacks | Credential Guard uses virtualization-based security to isolate secrets, such as NTLM password hashes and Kerberos Ticket Granting Tickets, so that only privileged system software can access them.
Credential Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Protect derived domain credentials with Credential Guard](credential-guard.md) | +| **Enterprise certificate pinning**
helps prevent
man-in-the-middle attacks
that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

**More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) | +| **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | +| **Windows Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

**More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | +| **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

**More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | +| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

**More information**: [Table 2](#table-2), later in this topic | +| **UEFI Secure Boot**
helps protect
the platform from
bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

**More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) | +| **Early Launch Antimalware (ELAM)**
helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

**More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) | +| **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization’s
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device’s actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

**More information**: [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) and [Device Health Attestation](https://technet.microsoft.com/windows-server-docs/security/device-health-attestation) | + +Configurable Windows 10 mitigations designed to help protect against memory manipulation require in-depth understanding of these threats and mitigations and knowledge about how the operating system and applications handle memory. The standard process for maximizing these types of mitigations is to work in a test lab to discover whether a given setting interferes with any applications that you use so that you can deploy settings that maximize protection while still allowing apps to run correctly. + +As an IT professional, you can ask application developers and software vendors to deliver applications that include an additional protection called Control Flow Guard (CFG). No configuration is needed in the operating system—the protection is compiled into applications. More information can be found in [Control Flow Guard](#control-flow-guard). + +### Table 2  Configurable Windows 10 mitigations designed to help protect against memory exploits + +| Mitigation and corresponding threat | Description | +|---|---| +| **Data Execution Prevention (DEP)**
helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, the vast majority of applications do not.
**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure additional DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **SEHOP**
helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure additional SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **ASLR**
helps mitigate malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This helps mitigate malware that's designed to attack specific memory locations, where specific DLLs are expected to be loaded.
**More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure additional ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | + +### Windows Defender SmartScreen + +Windows Defender SmartScreen notifies users if they click on reported phishing and malware websites, and helps protect them against unsafe downloads or make informed decisions about downloads. + +For Windows 10, Microsoft improved SmartScreen (now called Windows Defender SmartScreen) protection capability by integrating its app reputation abilities into the operating system itself, which allows SmartScreen to check the reputation of files downloaded from the Internet and warn users when they’re about to run a high-risk downloaded file. The first time a user runs an app that originates from the Internet, SmartScreen checks the reputation of the application by using digital signatures and other factors against a service that Microsoft maintains. If the app lacks a reputation or is known to be malicious, SmartScreen warns the user or blocks execution entirely, depending on how the administrator has configured Microsoft Intune or Group Policy settings. + +For more information, see [Windows Defender SmartScreen overview](windows-defender-smartscreen-overview.md). + +### Windows Defender Antivirus + +Windows Defender Antivirus in Windows 10 uses a multi-pronged approach to improve antimalware: + +- **Cloud-delivered protection** helps detect and block new malware within seconds, even if the malware has never been seen before. The service, available as of Windows 10, version 1703, uses distributed resources and machine learning to deliver protection to endpoints at a rate that is far faster than traditional signature updates. + +- **Rich local context** improves how malware is identified. Windows 10 informs Windows Defender Antivirus not only about content like files and processes but also where the content came from, where it has been stored, and more. The information about source and history enables Windows Defender Antivirus to apply different levels of scrutiny to different content. + +- **Extensive global sensors** help keep Windows Defender Antivirus current and aware of even the newest malware. This is accomplished in two ways: by collecting the rich local context data from end points and by centrally analyzing that data. + +- **Tamper proofing** helps guard Windows Defender Antivirus itself against malware attacks. For example, Windows Defender Antivirus uses Protected Processes, which prevents untrusted processes from attempting to tamper with Windows Defender Antivirus components, its registry keys, and so on. ([Protected Processes](#protected-processes) is described later in this topic.) + +- **Enterprise-level features** give IT pros the tools and configuration options necessary to make Windows Defender Antivirus an enterprise-class antimalware solution. + + + +For more information, see [Windows Defender in Windows 10](windows-defender-in-windows-10.md) and [Windows Defender Overview for Windows Server](https://technet.microsoft.com/windows-server-docs/security/windows-defender/windows-defender-overview-windows-server). + +For information about Windows Defender Advanced Threat Protection, a service that helps enterprises to detect, investigate, and respond to advanced and targeted attacks on their networks, see [Windows Defender Advanced Threat Protection (ATP)](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) (resources) and [Windows Defender Advanced Threat Protection (ATP)](https://technet.microsoft.com/itpro/windows/keep-secure/windows-defender-advanced-threat-protection) (documentation). + +### Data Execution Prevention + +Malware depends on its ability to insert a malicious payload into memory with the hope that it will be executed later. Wouldn’t it be great if you could prevent malware from running if it wrote to an area that has been allocated solely for the storage of information? + +Data Execution Prevention (DEP) does exactly that, by substantially reducing the range of memory that malicious code can use for its benefit. DEP uses the No eXecute bit on modern CPUs to mark blocks of memory as read-only so that those blocks can’t be used to execute malicious code that may be inserted by means of a vulnerability exploit. + +**To use Task Manager to see apps that use DEP** + +1. Open Task Manager: Press Ctrl+Alt+Del and select **Task Manager**, or search the Start screen. + +2. Click **More Details** (if necessary), and then click the **Details** tab. + +3. Right-click any column heading, and then click **Select Columns**. + +4. In the **Select Columns** dialog box, select the last **Data Execution Prevention** check box. + +5. Click **OK**. + +You can now see which processes have DEP enabled. + + + +![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png) + +*Figure 2.  Processes on which DEP has been enabled in Windows 10* + +You can use Control Panel to view or change DEP settings. + +#### To use Control Panel to view or change DEP settings on an individual PC + +1. Open Control Panel, System: click Start, type **Control Panel System**, and press ENTER. + +2. Click **Advanced system settings**, and then click the **Advanced** tab. + +3. In the **Performance** box, click **Settings**. + +4. In **Performance Options**, click the **Data Execution Prevention** tab. + +5. Select an option: + + - **Turn on DEP for essential Windows programs and services only** + + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + +#### To use Group Policy to control DEP settings + +You can use the Group Policy setting called **Process Mitigation Options** to control DEP settings. A few applications have compatibility problems with DEP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Structured Exception Handling Overwrite Protection + +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handler](https://msdn.microsoft.com/library/windows/desktop/ms680657(v=vs.85).aspx) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. + +You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +### Address Space Layout Randomization + +One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could simply overwrite it in well-known and predictable locations. + +Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. + +![ASLR at work](images/security-fig4-aslr.png) + +**Figure 3.  ASLR at work** + +Windows 10 applies ASLR holistically across the system and increases the level of entropy many times compared with previous versions of Windows to combat sophisticated attacks such as heap spraying. 64-bit system and application processes can take advantage of a vastly increased memory space, which makes it even more difficult for malware to predict where Windows 10 stores vital data. When used on systems that have TPMs, ASLR memory randomization will be increasingly unique across devices, which makes it even more difficult for a successful exploit that works on one system to work reliably on another. + +You can use the Group Policy setting called **Process Mitigation Options** to control ASLR settings (“Force ASLR” and “Bottom-up ASLR”), as described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). + +## Mitigations that are built in to Windows 10 + +Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. + +Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require that an application developer configure the mitigation into the application when it’s compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. + +### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed + +| Mitigation and corresponding threat | Description | +|---|---| +| **SMB hardening for SYSVOL and NETLOGON shares**
helps mitigate
man-in-the-middle attacks | Client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers now require SMB signing and mutual authentication (such as Kerberos).

**More information**: [SMB hardening improvements for SYSVOL and NETLOGON shares](#smb-hardening-improvements-for-sysvol-and-netlogon-shares), later in this topic. | +| **Protected Processes**
help prevent one process
from tampering with another
process | With the Protected Processes feature, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed.

**More information**: [Protected Processes](#protected-processes), later in this topic. | +| **Universal Windows apps protections**
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | +| **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures which help protect against corruption of memory used by the heap.

**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | +| **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | +| **Control Flow Guard**
helps mitigate exploits
that are based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it’s compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker’s attempt to change the intended flow of code. If this occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer-11), later in this topic. | + +### SMB hardening improvements for SYSVOL and NETLOGON shares + +In Windows 10 and Windows Server 2016, client connections to the Active Directory Domain Services default SYSVOL and NETLOGON shares on domain controllers require Server Message Block (SMB) signing and mutual authentication (such as Kerberos). This reduces the likelihood of man-in-the-middle attacks. If SMB signing and mutual authentication are unavailable, a computer running Windows 10 or Windows Server 2016 won’t process domain-based Group Policy and scripts. + +> [!NOTE] +> The registry values for these settings aren’t present by default, but the hardening rules still apply until overridden by Group Policy or other registry values. For more information on these security improvements, (also referred to as UNC hardening), see [Microsoft Knowledge Base article 3000483](https://support.microsoft.com/en-us/help/3000483/ms15-011-vulnerability-in-group-policy-could-allow-remote-code-execution-february-10,-2015) and [MS15-011 & MS15-014: Hardening Group Policy](https://blogs.technet.microsoft.com/srd/2015/02/10/ms15-011-ms15-014-hardening-group-policy/). + +### Protected Processes + +Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type. + +With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. + +### Universal Windows apps protections + +When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. + +Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. + +In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. + +### Windows heap protections + +The *heap* is a location in memory that Windows uses to store dynamic application data. Windows 10 continues to improve on earlier Windows heap designs by further mitigating the risk of heap exploits that could be used as part of an attack. + +Windows 10 has several important improvements to the security of the heap: + +- **Heap metadata hardening** for internal data structures that the heap uses, to improve protections against memory corruption. + +- **Heap allocation randomization**, that is, the use of randomized locations and sizes for heap memory allocations, which makes it more difficult for an attacker to predict the location of critical memory to overwrite. Specifically, Windows 10 adds a random offset to the address of a newly allocated heap, which makes the allocation much less predictable. + +- **Heap guard pages** before and after blocks of memory, which work as tripwires. If an attacker attempts to write past a block of memory (a common technique known as a buffer overflow), the attacker will have to overwrite a guard page. Any attempt to modify a guard page is considered a memory corruption, and Windows 10 responds by instantly terminating the app. + +### Kernel pool protections + +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory (“nonpaged pool”) and one that can be paged in and out of physical memory (“paged pool”). There are many types of attacks that have been attempted against these pools, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 has multiple “pool hardening” protections, such as integrity checks, that help protect the kernel pool against such attacks. + +In addition to pool hardening, Windows 10 includes other kernel hardening features: + +- **Kernel DEP** and **Kernel ASLR**: Follow the same principles as [Data Execution Prevention](#data-execution-prevention) and [Address Space Layout Randomization](#address-space-layout-randomization), described earlier in this topic. + +- **Font parsing in AppContainer:** Isolates font parsing in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx). + +- **Disabling of NT Virtual DOS Machine (NTVDM)**: The old NTVDM kernel module (for running 16-bit applications) is disabled by default, which neutralizes the associated vulnerabilities. (Enabling NTVDM decreases protection against Null dereference and other exploits.) + +- **Supervisor Mode Execution Prevention (SMEP)**: Helps prevent the kernel (the “supervisor”) from executing code in user pages, a common technique used by attackers for local kernel elevation of privilege (EOP). This requires processor support found in Intel Ivy Bridge or later processors, or ARM with PXN support. + +- **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the “FastFail” mechanism to enable rapid and safe process termination. + +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This makes it more difficult for malware to use techniques such as “NULL dereference” to overwrite critical system data structures in memory. + +### Control Flow Guard + +When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls additional code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs. + +This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. + +An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](https://msdn.microsoft.com/library/windows/desktop/mt637065(v=vs.85).aspx). + +Of course, browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. + +### Microsoft Edge and Internet Explorer 11 + +Browser security is a critical component of any security strategy, and for good reason: the browser is the user’s interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are completely reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. + +All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples of this are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. + +Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: + +- **Smaller attack surface; no support for non-Microsoft binary extensions**. Multiple browser components with vulnerable attack surfaces have been removed from Microsoft Edge. Components that have been removed include legacy document modes and script engines, Browser Helper Objects (BHOs), ActiveX controls, and Java. However, Microsoft Edge supports Flash content and PDF viewing by default through built-in extensions. + +- **Runs 64-bit processes.** A 64-bit PC running an older version of Windows often runs in 32-bit compatibility mode to support older and less secure extensions. When Microsoft Edge runs on a 64-bit PC, it runs only 64-bit processes, which are much more secure against exploits. + +- **Includes Memory Garbage Collection (MemGC)**. This helps protect against use-after-free (UAF) issues. + +- **Designed as a Universal Windows app.** Microsoft Edge is inherently compartmentalized and runs in an AppContainer that sandboxes the browser from the system, data, and other apps. IE11 on Windows 10 can also take advantage of the same AppContainer technology through Enhanced Protect Mode. However, because IE11 can run ActiveX and BHOs, the browser and sandbox are susceptible to a much broader range of attacks than Microsoft Edge. + +- **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, which makes it more secure by default. + +In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. It should not be configured as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. + +For sites that require IE11 compatibility, including those that require binary extensions and plug ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. + +### Functions that software vendors can use to build mitigations into apps + +Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. + +> [!NOTE] +> Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. + +### Table 4   Functions available to developers for building mitigations into apps + +| Mitigation | Function | +|-------------|-----------| +| LoadLib image loading restrictions | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_IMAGE\_LOAD\_NO\_REMOTE\_ALWAYS\_ON\] | +| MemProt dynamic code restriction | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_PROHIBIT\_DYNAMIC\_CODE\_ALWAYS\_ON\] | +| Child Process Restriction to restrict the ability to create child processes | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROC\_THREAD\_ATTRIBUTE\_CHILD\_PROCESS\_POLICY\] | +| Code Integrity Restriction to restrict image loading | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSignaturePolicy\] | +| Win32k System Call Disable Restriction to restrict ability to use NTUser and GDI | [SetProcessMitigationPolicy function](https://msdn.microsoft.com/en-us/library/windows/desktop/hh769088(v=vs.85).aspx)
\[ProcessSystemCallDisablePolicy\] | +| High Entropy ASLR for up to 1TB of variance in memory allocations | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HIGH\_ENTROPY\_ASLR\_ALWAYS\_ON\] | +| Strict handle checks to raise immediate exception upon bad handle reference | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_STRICT\_HANDLE\_CHECKS\_ALWAYS\_ON\] | +| Extension point disable to block the use of certain third-party extension points | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_EXTENSION\_POINT\_DISABLE\_ALWAYS\_ON\] | +| Heap terminate on corruption to protect the system against a corrupted heap | [UpdateProcThreadAttribute function](https://msdn.microsoft.com/en-us/library/windows/desktop/ms686880(v=vs.85).aspx)
\[PROCESS\_CREATION\_MITIGATION\_POLICY\_HEAP\_TERMINATE\_ALWAYS\_ON\] | + +## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit + +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544), which has since 2009 offered a variety of exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those in Windows 10. Many of EMET’s mitigations have been built into Windows 10, some with additional improvements. However, some EMET mitigations carry high performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. + +Because many of EMET’s mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly those assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://technet.microsoft.com/security/jj653751)). + +The following table lists EMET features in relation to Windows 10 features. + +### Table 5   EMET features in relation to Windows 10 features + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Specific EMET featuresHow these EMET features map
+to Windows 10 features
    +

  • DEP

    • +

  • SEHOP

    • +

  • ASLR (Force ASLR, Bottom-up ASLR)

    • +

DEP, SEHOP and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic.

+

You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.

    +

  • Load Library Check (LoadLib)

    • +

  • Memory Protection Check (MemProt)

    • +
LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic.
    +

  • Null Page

    • +
Mitigations for this threat are built into Windows 10, as described in the “Memory reservations” item in Kernel pool protections, earlier in this topic.
    +

  • Heap Spray

    • +

  • EAF

    • +

  • EAF+

    • +
Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.
    +

  • Caller Check

    • +

  • Simulate Execution Flow

    • +

  • Stack Pivot

    • +

  • Deep Hooks (an ROP “Advanced Mitigation”)

    • +

  • Anti Detours (an ROP “Advanced Mitigation”)

    • +

  • Banned Functions (an ROP “Advanced Mitigation”)

    • +
Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic.
+ +### Converting an EMET XML settings file into Windows 10 mitigation policies + +One of EMET’s strengths is that it allows you to import and export configuration settings for EMET mitigations as an XML settings file for straightforward deployment. To generate mitigation policies for Windows 10 from an EMET XML settings file, you can install the ProcessMitigations PowerShell module. In an elevated PowerShell session, run this cmdlet: + +```powershell +Install-Module -Name ProcessMitigations +``` + +The ConvertTo-ProcessMitigationPolicy cmdlet can: + +- **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETfile emetpolicy.xml -output newconfiguration.xml + ``` + +- **Audit and modify the converted settings (the output file)**: Additional cmdlets let you apply, enumerate, enable, disable, and save settings in the output file. For example, this cmdlet enables SEHOP and disables MandatoryASLR and DEPATL registry settings for Notepad: + + ```powershell + Set-ProcessMitigation -Name notepad.exe -Enable SEHOP -Disable MandatoryASLR,DEPATL + ``` + +- **Convert Attack Surface Reduction (ASR) settings to a Code Integrity policy file**: If the input file contains any settings for EMET’s Attack Surface Reduction (ASR) mitigation, the converter will also create a Code Integrity policy file. In this case, you can complete the merging, auditing, and deployment process for the Code Integrity policy, as described in [Deploy Device Guard: deploy code integrity policies](deploy-device-guard-deploy-code-integrity-policies.md). This will enable protections on Windows 10 equivalent to EMET’s ASR protections. + +- **Convert Certificate Trust settings to enterprise certificate pinning rules**: If you have an EMET “Certificate Trust” XML file (pinning rules file), you can also use ConvertTo-ProcessMitigationPolicy to convert the pinning rules file into an enterprise certificate pinning rules file. Then you can finish enabling that file as described in [Enterprise Certificate Pinning](enterprise-certificate-pinning.md). For example: + + ```powershell + ConvertTo-ProcessMitigationPolicy -EMETfile certtrustrules.xml -output enterprisecertpinningrules.xml + ``` + +#### EMET-related products + +Microsoft Consulting Services (MCS) and Microsoft Support/Premier Field Engineering (PFE) offer a range of options for EMET, support for EMET, and EMET-related reporting and auditing products such as the EMET Enterprise Reporting Service (ERS). For any enterprise customers who use such products today or who are interested in similar capabilities, we recommend evaluating [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md) (ATP). + +## Related topics + +- [Keep Windows 10 secure](index.md) +- [Security technologies in Windows 10](security-technologies.md) +- [Security and Assurance in Windows Server 2016](https://technet.microsoft.com/windows-server-docs/security/security-and-assurance) +- [Windows Defender Advanced Threat Protection (ATP) - resources](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp) +- [Windows Defender Advanced Threat Protection (ATP) - documentation](windows-defender-advanced-threat-protection.md) +- [Exchange Online Advanced Threat Protection Service Description](https://technet.microsoft.com/library/exchange-online-advanced-threat-protection-service-description.aspx) +- [Office 365 Advanced Threat Protection](https://products.office.com/en-us/exchange/online-email-threat-protection) +- [Microsoft Malware Protection Center](https://www.microsoft.com/en-us/security/portal/mmpc/default.aspx) + + From f39dbecf3a276790e1cf2232da72ac0ea780541a Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 5 Apr 2017 11:48:21 -0700 Subject: [PATCH 02/14] revised description of EMET --- .../keep-secure/overview-of-threat-mitigations-in-windows-10.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md index a2adb3c766..9dba460da4 100644 --- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -21,7 +21,7 @@ This topic provides an overview of some of the software and firmware threats fac | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | | [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | -| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | If you've used the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/en-us/kb/2458544), this section describes how the mitigations in EMET correspond to features built into Windows 10. It also describes how to convert an XML settings file created in EMET into mitigation policies for Windows 10. | +| [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/kb/2458544) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: From 02644e51ce2d146643ae2f872a2239b32a26de99 Mon Sep 17 00:00:00 2001 From: John Tobin Date: Wed, 5 Apr 2017 14:28:46 -0700 Subject: [PATCH 03/14] Folded headings --- .../credential-guard-not-protected-scenarios.md | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) diff --git a/windows/keep-secure/credential-guard-not-protected-scenarios.md b/windows/keep-secure/credential-guard-not-protected-scenarios.md index f2c4d556e7..a62da81098 100644 --- a/windows/keep-secure/credential-guard-not-protected-scenarios.md +++ b/windows/keep-secure/credential-guard-not-protected-scenarios.md @@ -29,13 +29,9 @@ Some ways to store credentials are not protected by Credential Guard, including: - Third-party security packages - Digest and CredSSP credentials - When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols. -- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well. - ->[!NOTE] -When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. - ->[!NOTE] -Windows logon cached password verifiers (commonly called "cached credentials") +- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.- +- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host. +- Windows logon cached password verifiers (commonly called "cached credentials") do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available. ## Additional mitigations From ffb0e17bc7315eec95576c9bcdb97b790cad303b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 14:37:13 -0700 Subject: [PATCH 04/14] added user consent info to wipfb --- .../images/waas-wipfb-aad-classicaad.png | Bin 0 -> 1382 bytes .../images/waas-wipfb-aad-classicenable.png | Bin 0 -> 4610 bytes .../update/images/waas-wipfb-aad-consent.png | Bin 0 -> 11236 bytes .../update/images/waas-wipfb-aad-error.png | Bin 0 -> 10409 bytes .../update/images/waas-wipfb-aad-newaad.png | Bin 0 -> 1486 bytes .../waas-wipfb-aad-newdirectorybutton.png | Bin 0 -> 1005 bytes .../images/waas-wipfb-aad-newenable.png | Bin 0 -> 2757 bytes .../images/waas-wipfb-aad-newusersettings.png | Bin 0 -> 847 bytes .../waas-windows-insider-for-business.md | 27 +++++++++++------- 9 files changed, 16 insertions(+), 11 deletions(-) create mode 100644 windows/update/images/waas-wipfb-aad-classicaad.png create mode 100644 windows/update/images/waas-wipfb-aad-classicenable.png create mode 100644 windows/update/images/waas-wipfb-aad-consent.png create mode 100644 windows/update/images/waas-wipfb-aad-error.png create mode 100644 windows/update/images/waas-wipfb-aad-newaad.png create mode 100644 windows/update/images/waas-wipfb-aad-newdirectorybutton.png create mode 100644 windows/update/images/waas-wipfb-aad-newenable.png create mode 100644 windows/update/images/waas-wipfb-aad-newusersettings.png diff --git a/windows/update/images/waas-wipfb-aad-classicaad.png b/windows/update/images/waas-wipfb-aad-classicaad.png new file mode 100644 index 0000000000000000000000000000000000000000..424f4bca0a7ea6352d436cb5a3c981bbc5d33755 GIT binary patch literal 1382 zcmV-s1)2JZP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGxhX4Q_hXIe}@nrx21p7%uK~#8N?VC-n z3_%oz{bgHQTRUvoNo)uUk=PI{u7%_xA(!j={wBmn5J}4;^K#~>>h9^O>JfF`)pvnz{S-pV{t$pf$qyL6d~>gC+^%2Td}o@ozl;&>gzClPn8@IhoD)=kL7e z(3AIHx&!BKCF=yiT+CwpV_SQ_OfNC>r|Jd4TvRtcsm+(~KNgn%qf5K5ll6mO4yqcT zl!nwMrxVv7CEEo-ZK@jo?(2^Wi>JjWK`eHIO;FAFq%vdl_Vc${7rUo!K3$x->kePJ z_gDF+Z_8=f_OthkSIeRv?a_mGpS#QV-~4{9SSo+@>Fd&YC63v1D~6Sgrx>>uYb4@& z>6&O~MSp!9i85bb(z$dkl8xuf5PhReaeW+>Z;C3$Cxux>q(iAVHLwG$!4SwB#F`V? z0n;GLoXED9k@@RQo5I%Tz1rxUK8B31_Q)Gf4}#D+Y(MO4-v{v530$YH)tCDiNOg1l znw#Rr&n;$$bnVf*WW3TKZaxEHO+02mP@nOA3~S6O#s?d7$oSTbx$8mp8a#b{$kp@r z!S_?`bzJo}Nm1jIvgAxpzRzAhsZCC`7rPoP2EZG`nkEP8Grk{i>!{nhcQrn3gl8Q;E^(QP}$O7+*%*N0p^8&|Kr!BcTJNfF}@ zEoL#gt*@UiT+D~eR;}Aii1+eS24cct4*Krz2WS&@m}b-zYlut z`v5wxt!F<4{C%K*$i_&;-6U%ppV@p!r;T|q^q5_r(u-XN30Wg(Ff?EqK&w@auX-qD z9xHDG^~Wj|BV~M$;ph)|`FfH~W7G%VH-B%2?t|{P?q4qMrdZ4Pq$EQ-I2f3RgL<@K zaf|W$QX`2^27k^VD8Xdo4=qv=3l zxR?KVa_*Caw8+*Af^}HQ_?TJwdP=^&SL&Ewz_J6B6Ay*08w68X$@qPy$|HPu6O=J3Ueo`LQ3xai+lUuv`HBy|jHy?K=uRlzd1^+*jj1Ob>@g@Jy9+P>hVdI_vhhW37skrw{xD{?S2|?dmEz*gv+nrTZWzB|);2!m_Vp#dWjQqCV|vmd z+olwxIL!EA{I)4#d|-CQusQK?u$UeCgs8cQ#pp777{6_b86TLX`^-Ni9*UYfH{|u6 zFn^mAH9oAe=(X}+WYs2S{I)4>e8BwL%O9g!i`YKG_-#|g_+n`Hrsg6x2>PgMd|)zQ)fFf?!o-90Pk^rY$ta7oZ24kBM!q+~Cq9h8DB`NDr zCPTI_VVH)Z+Ub{2aj z4od(4fV~JyGe-bGAdO##h>7s;V-rQ${D%P6(ZU2!(F>mCH$aTBtuX*lohrF~U6|jC z-?Kzv0RV-#-Af?#_wr2uKsFm;W_%^YeLk-`1&j!M$hHXwTx9j9R|E2i-e29Kq+8pb z+!r1wu9Z^2Q!YLLG(4cNrQ(F_&I4zpbjAckla}@}7$VV+hkEiBrft^O1rjR0Bz1Qr zF_T(eKWQU0fMjJ+Z~%+ z`(=d9%*b9SIOljD-W_QWxxK;cFSMXh*|kFA8QR}5Sew$tT5n!vf7#oSA4=#ORIp4* z8ovM0@?E`3>w%U&dB{5lh*73hd$Pg~E7XLIOmKtvi?j&nhpo+NdUQ9FYR~aT9L?Wf zrOajo)Tqq9RAq!CQ43OawNYI2nygjX5>h(krkugw{(8 zUf2Em^gkb{S+$_t$mRwf<#h^*_MZrTEY$k-wmvKm{*7=~0NEo&h!M88SD*Sa)l^+p zp7b;NX%g?y7X-h-zQBso33T(|p)HVrB#L$7;b8xPcv*72667PDsr5}6>O%8MbO2i{ zKV)j|+@fXGUC}^C7A}H!!d%VCm!_MZ2yA|aY2{VG;)cGf~7K4SiK z{Ifk<*94+wa0M08dei68-e($T0>&Cd>}j7FHh_Xkyfxf%`UA=W(zqoxn8O)n23!ZqzA4-}!%* zV{({uJp(DcR{OfiG1^8H35XHAqj5BW-9ah~wM{^y>157oDW|ve+X&3U2VXj}GA?aPvtYi4JnWx#cV}C{H=(fUwViYk>EL@ zA~Qp_B(7rSuBEp0k82`D3h}G#fo#VNh57Dar$2(jb|&RJ%O7)Ujc}X31-;@P1|Kg| z$Ex38UqaYgo1fGKt|uKucHm>)^(L}x_iQ=Wgrv@eZYMb0xID`$A3S)j*g^lbwCrZb z1zDNrDKVd>=Ms`(IocBMckD8fp9T5Mw&{$^GcsjIGW36*Mnq=%lq9xTk({Ta+>qon zb~_|Nle`wih0Sy;B~+~SU8||+K3QE_q>l9*PcUv@m;=eQT2v^YS5UF}0cH8F+5OIs zjg*t-4r-D)b#gu&t-bGrhg%QgnovgR))*9g;S{XRdVEPXEn?=UlH#A*yr;x_)R5B3 zBYaWSRmLboVVB$uTu({F$LEp4PC}cU7LkXVBq2NTVTcn@#Xzftmqh4+ZRcD_)+Ttz zKK#yqyzE`Lz?Wp*z5G$}ss+UO_zuwjt*nMYTedzJIjbH>{QW6W@J6+>>Z6xGPpkf$ z^!@)~7WJHk#znQ)O=0T`ieIW7;AUPqUVZgRqOp3OCxSeow1Eu*GF2zSHS%puz@|FcrQixVv^rJEfrT4g2c zP|Kgy*{^+bkJYi|L13fM)tTuzEGO?qHd|mGr?9lWxxxzV$h&-3^>lf5(6D3a&T{_R zQS|T^4sm564mW)f-V*fKf2KN`e88%Gs*YphTFR(#N773w(X=ri%goeHiC!f7=CWAJI_a#DJF~rvG3ei13u_jDjHx(U*&^~2O#(9 z-+{}?P;Raj85_*U?J}8=3WJ|}Ev~fVNUEF3rF^9xFSwTihiwKO6b%a}c>%)O=Mc#h zi$JEhLRFVS2=abfeGkZoE)>k|hJ+5>bRT);)hx%Eo-LrB^A>5pwP)DG?dKO=!vx`^ zZJ2p0W?JvY=^!}ouy;ICf@%;{D#~%Jd+2KIB+n`32aAQcrVb)Y0mTAtBvlabJ_N2^NCf=_e}axkdqYzIjr-DXm5^` zt5He2HWQp5DU`4)i0^;w>k#o_KA9QaKs?GirCsO+K!9OFBy-!$EYuNP(o>kli*{{a zgjN0J%9nkIwjT46Jo16WhJKE-Gy~5jO-bV1l|Ucd&zTR875HfrIO~Sp$JXMhGlxHs zt9L&yYVI|X^UA2&wEIr6M_drc_p?1ei3vIq^pT?$@D1A{qx!M;c_wgxzz#2PBO)jPV8S=-?N!3xa}~(3yN;I=s&}<6?cg=pGsvk__sQ7 zxiCV$thq1BLP7&T-}sg_$Vdfa*afNCCI(#1$Vq*ifnAh!K?CmDxoC%yY$-2QvQY+uW|v4MWMYiz1k8OdOtBO@ zn>5_qg)HW-L&MFR0u7lpL&LwoIkXeTy-dBr01Fm!&-MRW-_*D4z8-&Y9l9-)>Cq)R zJyH2vm77iE8}E|B(cdwq*eaE@rc<6@2Og1<-RDOKaW!9uFP!~OP?7GvW0eD4H1 z1^<`F)`0usU#8&>RmDcZRm&cXf$MV($47n_w~b}Aq6qGVXSF*cD1RL>T*@MCUZUt! zuH*~_pYw~wQ;=ttN5AQc(y`r`lwaucsdwdds7E)X0=k3$KDb76K6^Oq0M8oE4+smf z#GC&i z@z2*%M55QD<%3(=g69MS%)IVYB7JH&Uv7_eN59|S%Q_qyPP|AbBHLe1WsQl=4XE6+ zgOt3`X!I*=Ky9l>!G^6*BB~hfDLuyS*RPIr6ei1uY5Ptz-9fLA?pt~y+=t#D&$S}F z5U(Y#DLYISk{bO%C%DWIFr)L8%G0yg*42#U)U?^no)=g`F1`uu0~EZMW?5W+T_GF$ ztYLKhL4&Kj;Yrxes8;OA)hgTa*{FSzM9BEW6g9q=q0>>ryeKJviK6SFt&k>&4y8UoJ@5{43re zCR1Aiy;`L0-KN6D$e_2UdkwmoZMVnzIl9R45`~g3+z(CarkdAI)?I4tkHhFL`pNEO zXP}=A=NhMWOpYMCNh;)P=1Iii@n=1qZU%$e+JSOH^tb&PK9+}9Q>Et$>k2va3u&G= ztOGk;0R)55n{HaOS8gvxcy=LgW~x@(I$AsS(X0CCw|o(+wE*I&6Py-DL+l+iZ7_#bPlTeG=Kleb1OsGwF}9RFJBW>lx0K&5Q-9W@H0*yy{5IgyN(=L zc$|@CdXf+2{8&itL&J$1e9!xkBSqyKjum%@VzzQfu`9MeU24|L8{5m<$~QixD_R}| z0196mh64bGUMJ`PKpg2@?*RZH^JXDG0B|YEP!IsHI~6Yi0F)~80RaFj=t17f3+w)8 z{GpOxl3uAP;OSm@k-0=u5|%uDI(@!{BN_TFBE&osW_-7`$DvsL@>!2A1g$=LL$e`% zz2s$Cuz%%^Ec;KxsFArf4x+3~S7b1Sh+HO&P^!c7qQ=+4MOgMy%2?T(!;}LDLEIDc(X}SZ_<-wPT%$=m#7ubaY9xCQLTv0B z1;H{8!=GVh!QPiUxMR4yKGud%eD}a{dept@*3E)eOdDR@B@jCXkFrt?{Fc2e&xhJQ z3~!pvfxh zpvWY{L_>_!K~Nh{OGKXN9fr%0z6dQG47+b6Q;rWr%idLdB@*#~>G*%WN)?4KIcLZ% zct+fxdAqs!Itj^UDny9Do0f=q5)jfiE4Jpp8etEwLtMjbmtf7zrdd`!Lb4Q{&Rp7f zo&~xEbHCR;)vZQpjkwO*{HPqNzFoH|)_z_zW;|m+EYY*K7_YGY+B7GcQ}F2Kh=XtR zimh)!!7JkgEqvq7zvkV~wh^To5zL=tjfjW6l?GN7Neh&m0nqG`1U=bvf0xy#kJ+)ugho<;Q-|W+7SoEI|-z zLESN6Y5FZ?Zn5~~pnubZfGF`B<52VJ$2k@zeKcrscCRHLw^ZZbU>D=ZuMxEu8Z$O; zuk*G)IBL~;1Ik<#hFZaVFIZs8rX<6^W`x+J>~O5Cv~W`jV8)DY@WREe*xUf>T}!oz zjO52s7AT=*=k~LTiqDFxN!Pk)%|F;Rb8GE=yf# zrxGGj(6=$SMs`Aa&di<2!;d#qwosNnxcrg3?z^L3g^w?Fe3!fAVWLVxxl`@b;vvkX zR_Os@@0HU00N2;=hps}MT+)=v)n$kNs8QaP@VaYnd@bK}yTzX;w;Xeg5Q1xYdPUs! zYy3MrXu~FJ&+Lkcy+;MH<0++C#NETo@tNOM$%vr4sw!2a@$qtHmt6Jjs$}O^l>3Re z+H(WOmv((6tI9l-U91z*cE#6qy~;__Z6j&ACO$dhH3M?9@=K590 z+Hm_|jp5qYHkZiAREDMjhVL5f^nhGRtEgp-K!O*VW@QaX%Yee@H*?w=n|5P6FORwrXgvy4W?!&nO$o0_nj(bkGx6i8x6`>;zy-z)UFAINK92{mz;;m znd+3T^|ar!oAe5;MO$l4>MP1E{3elhhE*D4?ME)Hga`a!*+%#ytC;nZ;SajChfXP= z!Sn0>qHd9#_^J~6H4KU<+@i6 zm;drnbhaTjyO*ptz^g+6mveYA3#;V)BkHY+s#d@1cAY?$`KvtJV?uUZ;9P z%2iw!nptC^MoyR*g0aQD!?a-`_9f(nUh$^*+1bkE{B&%HB_AuWun64#BY5`GRo`@m zL-S-E->Q+1Z8gef4sC{RbF4^BF6&l}6=d(|AkNbsdF*u$y&X=wy8^u*z6i}z9_ED4 z4%@2Un|f8D2&c)oir0|+>$}bt4yP&2I)`tDi`*1E?Bu=5kv9!|y!w!IL(s;Hbr~sL z!8OEGEk<3mNV&i11Ms8;MP~;Md5dai$srk0ZH+jSauNISceM7%_OVrk zol99+j%vS^6`OM&|MXi@&Gg2j9%E87(5XI4#`z?Q>^EwPJ~}m zx+;z{+_HT>WUlufqdMfpQ1+1s|MFH`xaSy*pJ!npsHn!j5l_XaS~_oo=iDBd@S|); z-l1ML1#Ktz;n<phUosrZSi;p<&Ch&?_LMc3mY{RKnHD>v*2u z>w`}Mj(d*Z9osIIhxJR5v10VaKL1NLxYP7vl>Kqd)280`?zMmUn)it*IFy=x($H7i zq^@7D^2)J!$`X07abra)e(9zE!i`5cI>%xN9*_uZ(bA`4{E8l^n>FD~JLyMcXN)_9 zvQ0pXhW_CsGKJdQ_azwe9o!fI(L!Vv3k+0Sb~ppaL)}Sw&e{spy?}_PZ~L9Y>f~XI z{B9|OMszYezA*XWcOcgO6y01U`(W(mkhlj1A^kL=yXYqG6#PQyw^-!tG|>_rniOC$ zk@X2K7C(9j^KZ6(&edka>I{2mulvgi-l5>n={wN{#;>F2o_x3J@9~1oEakrpZ8?0A z=wUgBzM$)7z6%#QV}YZuzOkk-e9~(E!L>wAnc(WDyrr{jv(4sDy!Y^dId^YfL7GN> zJgZjP(l!4h0?l>v&uJP8O6hdTk+KiB_IeZDgfjFIOoKKQK6Uv8XoN8VU|3_A^7R2H7>u!)C^i^ z8}mhC$jEGOZ91#c)t98?)7?RQeqT}sqWG~HG1{drUDCRsp%HvfV8OP|IpSt7jNAK@ zLAML_iid0i#+=%d1W~_-a*m9q<4hF_kpVM_u})IKoS*8p+M(@Vo!Cq0p9vnVx*K&C zr|8?dHlQI}BD-pH-)T5Ym3U~V38P?QPYJL*y*{$ck$xdf$;jEMOkcc*68O7HJ{5e1 z4o^SzUEmvP#Gmpsrlf+S-DipO*Lzj5Z`Naa=GAAKg4YIHWg7+`|8CJ7W^VbU+H`k& zpg)S~vTaKMn^()fvXy%9g(^X5Cb~$*kbBgtDa&@g^=OITVBBnFY}uV6|pMBacu+X!TX}X zSKcIlyOJ{-+~2kivKh`S>1jj7P{ooPV}%}BUPzNgBnJuz>`!wI8VBp%JP^6_4>82M zZtYc6X-@3I1y`BKF$JNuD4C0>g^NwC>-SUDSopf5spOj7-t#XJECrPp!tftn?Ris{l&Y8#TioOIfu+BkHYd~O z88ld&ZkU~SmPa(yOa>nU^;SgJOPn*7O`Gp}tPfR>#15+nMs8k>`q`YvQ5S+w1X_WH z{2P>&#Od-5xs9gbSMRPqcTik+aN0&L+z`@tC?$TYhG0LXIko)aY_|2lJpF3|x=dM< z;Tqzesa^#(jK_I;gDzjKJCQ|RSbgIrTV-zU*#=M*=^9deIcZ8`>0L;N@Mzwp<@KMY zux8LpINPg^r9C^p4f)(HatL&uX@6}uzJ ziL(HIsO5A|1lKO|ADN?htUZgrNVCqtF{^2p-B?dq6?ftx?CN}o!E}zkfE3UjBmiQJ zxNW}(87tN5|F>@00rr`o0F!ZxD($yPucp0{ZxMl~Ehi)?);~=nOyF`a_>3K?IG=uc z;F-g5dWIg*lRPDCN2V=~E@P-Wci3Xl3yNR-`KA1vs75FCh_$S)4n)o}UC&QeZ~oUA<>e6We4Q**4^4h@C zgL9nQMR)iH&TSYS(38|>AkS^znIhVQB*$JdK7Y6DhwRqYcMTiAnRMNmL)9zAr*yeX zSYAA@Xt-r}9UBiJm6HTTYJ-bHEm8|c%}HN1 zLY#2064*Tm@U_(i?HFGs)4?@o;_ zbBTU<_Z02iTo%04mbRAkd4km+Y=vT(CA~h-eve?Jc%>Lp`~+2B`Uo?a)SapV(S@O<;Ytlmd(Mg;*5a$x@8)L$>IZ>d(v`Qrnl6w5G@w zWDUXd`_^likA93zy@%#pjt{88iv)5%&&ZkB;Vw28i8qOJ*yb1*Q2)GxoYDBR@{lV& zEc#2L?Z$(_omZWz-8aV_Zt|hls5;Gr@fY%zhRxWW$RqHE-xV!_bG@YneR~k!wSpML zDGUFd!F#f)pVv>)A2OITUq{kttdPEon0C}+4bq@NQz<&1+s~5 zEijlYYZQ##-F`<$mouR z?&rsINt3Bc7q9dkS zj=}Uk6(bWH;iI&FMZSo!eJ?n_o#ck*c4f2v2_2Z+Hx7s(ulHEf(RUul4jW>zC9U>b zVyABM@&@$>2A?l`k^*$3S8xGHP}da*ca;(q8C%}dXW)BsZ|&Q4nuFoD(HavD@?l7@ zLF#L1?DpN&o{uN<#cG&f=e`a5*M@?hx)%a_5A2xaRft4#-f|@-@1BSkdHhM8?q1V3 zUw&>+ALS$b=fRi}?Q8H{+vcnuYu7c9!%rPe+f3KmaI0DBb$U^YKNomC<`fT13g!#L z7m+(ZWMc8jK2K4$g8}{rL6+FrvcVO?HMG$mDrxtvh(fL_Mk{bT{(WPz6H+r7wsD+? zG_6i-(g-^-R2o&^K$*YM7n-chqpdI=9IV_l#GF@3&OP?BhrCM< z1^`}-w;5vA?@cyG89^Y&OxwI;<*VF@N|Z;7;o-*uWOzaRGNjD zSJ|?^K35WMjH+Z{eBZy_04sDMB3s9ZujQw%mZh4L9<5vos85xr>f=%$;p2y?B`-(( zf`4AZyYT@G6>%r&6WPl$wnpElLo{?EO|$Nfc)}2-suoOHNvT&~2P&G~XNf;3!2vg5 zwo+*lU0T@L;apUl6l54ib;-yUsVH>+FA8+Ev3h)8TzpG+Kac|f^rzuC1oK|au(bxw z8fD_bcy8r_tS&fuFe>KWAx)|7cB~XVs!T`4IKi0xHp#a|mDt&5)Y!Qn)R>6>Aodb} zfqs+d4m0`kdJ?pQ=PhLC-N#Zssy;>Tlo`XFO-oD)#&uE{5%kZ6Kf9P+|aUn{4QJ8 zEs7r1jxxk3G=2{9ofKxjf}GV4wqE*(R-(oryb^G^$1Kz&rcUsLT+oItDteN-^C?dA z?l>Ce3O?T$FBiNQnt0ZvIb`+UV}p>6A?M@b5%Ng{xdYFAY!9hiS}EsI&@ms%5xBtY z(?i-1{USfEJaN=l7MBS8PBGBK zhucF+f4%IPN>#IL$imna&U7b@K?<*23PGZJg2^0CV9OD>jEaoI=TT^Q-hamObl^w* zpWNi>6(3K(V7q6D6tQ$lJcRb?9qi^AKT7RWah?Co(_AX zs`+@ekLhvVe*6i{{S~=99n5;3?laq|WYJv5qfz_YPYd{yny5U+qS2Nc6S~3&3^Bo! z49}$S3JrQ=nTCX8lZ`xVBerc(;tWXZe9u_0z>my1M;k8Cs!g&E$*7Qm5c$87Qh$=g zHY${mOXh#^5>|;Qy{3x}mW!}IrHh?<9yyQBkyR5px%kavACd%IbbIwQajzwu7*$X` zU!j}vRN~y94d%fau28`<4dkO|J!BZIzH|Pn&U<`}9Ipy8{fY9_P_fxqEIea}_~S*m z=t~0=lQBE=2rkl7w@nWIv2RJTuw%snNgF^JRp zvI6iBUU>FKonNP5x9tez;v6D4!^mD`QS&9?PKcB51qFT35Kz70cbNA5>7S~+#7%;# zf4iQT>d^k3q25|&4SVpt%AhODD5!w7C#4hveag&hz!8oJ^spmVIKB6d2)gf&HfwZ! z8(7Gy#kn@&Zv(64x78`RJ667-%+C}pydbO?J)_<= zHMwDdtI8gZB6#-yM5JBJTY5zOa7?p)d96MaGrnZS2^Za-s~(_<_?Z%xXDd*X4Oaqd zD9RH(B7@eDuqb?MKa0X`VB);+{TBjkw^;){as;8)a)y%<% zus&Ysn%Sw0W)wji}l8OZ*)Bq9>z59Q3BPx9{8@O_LX(MLmc;2+OAt4Se#RG6mT>hizGB` zld5Pe?JT5$Mfgl`UO^NTIW8K9`anR!A7M@i@tM=SL2o-WZX$23c7y4I=TMj|Gutp_ ztZ_F`?mp;~x}+_Ej99qSP_O+YMK$YIO^6Epv=BH{sk10grp-LtdZ(r;X`_9ORw5nD z5C#20l@=L>E=uRMkLq*KV;&zV7y?tlLO~b;ZRYw8Fc?h%Bu;*T&|Wa@N94r=@`Z!x?o+01hwW6QaOLqbd%`B;At)wXD|4IK^wEpDm*MV!8(RRZq& zt^NWlEI_z-rY&CMoQ9yc&A&>N6{WTF3pmZ z+{yrPnry63jmiCm@Eyp;r{@)$sgO4qGW9D_!KsquNTcvDGPU8KSPZD~1OR+Ll^+=S zfRKGL8nI-A5pyB1tj?iQ2JREEme&|pfDe0Tav|5o#{{=i5FaLkgh)gSpBpo0-zt(y z82yC1+}`x-Ld?%#h?OhY+9ZB!+P-~aSJ`c85AfF%9<64JChCLU6I`^@$yoHW)_XZ0 z(V5v$OvJzQZ{bpST{fBR8$@oi&AFLvGJfa26r|riR9ah4W;2SD0=4?Fw9|(;+QiAi zc|jlR(}wv!NNxCP)WrtZXiJSvc^_W|X$+Za_TyoKzm_PK%b_6e{XN53WXgSv$EKv} zCa9C{IqRvXSoIVL`>Y<~+W{K!oO0C}L%aZwgf(O42KIF80yEW+!A)+iJ0D}BVYrlF zHsz!53*mrCpU-i=Svmx>{qFa~GNt`x_S!7vgG;OrKT4Cjq>lhmVzY-6d@GjrzD6LK z$}Uqiw5Hp8!OZMzXr;*4hyi#(YxJAlrc|+EoKp-7WJd|3)r90fbP5`9CzqiF@Q@b< zAvd#VwHJn1X6HqPhnwC6)n1PFp7I3^tg}4E7!fGY=ZDP_h!3tYyBb|;9PCsm@Ov2I z-FvSSvhrVh%nQD%%2>xVyGKT|p40raMob8;Z*XcL33$(S#{4jCCM18Y5Uqd{DvEIvf<={WaT zDpem+ImLvh@YAV0PdO^PZN$gLBuy`s^@Y0&#wENk#9SYDpznz*ZDd6z#__sVHYDOj z;zW3XgKpdZfaoDkZ=GPUXI<@r%j%0I4D-jKR(Rg@KMwz~=H11*KW!;^LN2ozR^a-l zr6gS1pA-S#-n$o=(nyZRzu5`sxbtZ2ipR|}#PG|*&a0Fc7ty>}Ad#{b;Nf9B8TLz9 zCw8wj>Zcg`m1XpT?fg_v^iqh1fq@z}fSQKiWd-)Z4iviexEH1$+nEGZ==)1oo}Gpo z7KR)j<-EQ8Vd|}+kH5cJ`~L1SnK#d%oPvU^3Wpk!TFk1@c3*0YyxZ0niP?1Y@8WG_ zblV+?(*ThtK5D&VpOx$$iN<#ux$~ob+m|ZK~!*erQ&MfZsxNc<eq8!U zl5buuH)&qQ!asMvdfetss8iNzQ(8dLK`-g1xi=1O(L)D8KHd4R1EYRPvAY6eY+b|W z#J71Da{D_Y_}L1#UB6I=L>(|7w0{6dzm{-U8wI-ryzmRl956b+4c568xzBJPkm>D@ z|0dh|VqjKS{uww-fs4#eFanyU3Q){73M_CGie(V^H(ll{!z_y9?Q&(KK1IO*L?%> zhS-tEEq-Q1P=E{@_FX4nbmPn1q3!}br7KsiuycB%ejL=bwY63FxXqo~SH*Lw%dt)O&%*a7+vxg$LRrh8!gLXv=l${L&H>$9A#NN&?V17092f-^t$ce$pxz4p;r5EN*!*wp-vv#<>@k@D^MmWNPngyd0d(10`* zjWp-(2k@c7c5IET(l7g(Qc%8PMq}`StaEeOfl7>+UtX*^%qJfME>vumZg|Vmusv+` zU4x^_FQ(gm%eJx$q>$fTQ4bdnAsrJ~iklN5t;S!HmiFLxjXG{Vmr%BLdUATMpRp#; z=ni0decBMHxv^LuXX@lQ8IXe*cl+GFdqDf-#mIVD+E&U&gb~gvqKqtEQ%Nb{lGz{yK8t$)?_Xf#Pr7!8>DV0OietMG=H3&}5_O98)z-H?bJ4Av}V>~F){jr=*c zWm@MJmLcI9O(*DZKeN|SC$X7N;BX^B&7J2JYt>y(g(PN4nM&;C{k`RRB_-f&)LM~j zW=+(bQXlKj;h*-LJ*_>u0_HsY^w+UVwTO3=<~6`OL8-uA>vQ~BS)$5Mc>d5#T-5b> z-2v_3)&f4%lLK|FFCQ3P-!{yX9o;o*&1-qt#~otyQgDpt7=u`I15u-P5=l?22b(>0 zPrt?2Oz#k=7R2a|Ty9gW=ke{@)acHGAYT6)J2m#Vam?0NS?|<*CKzn6x0+f+;Wxw= zv>BQpCq7Smg7%b04-1H2x%ZL(wab#o+1dkY`iEQA3f~I!PJFsAC>BVWaDO<^JE@8; zv09zZya0ThprOv(Xfoi1D~1xY17fmv7A}XjI~C3f^5a~v*p`?5;e814t|D3aE!ai$ zq^1S0nBWTf%6eyHp$#Ke54aQ-&62EWWqp6|T6QJ@VzZS+o-< z4W!d+s!vHsc!h*qY0(3$F(q4z(nZdQAORwR2o+$4@YOeOy779YYZCNX!Ou;eaikPU z$;05{iw(SG1*Kw0N4|4zjrZ*uss;|30`CojeOHBX( literal 0 HcmV?d00001 diff --git a/windows/update/images/waas-wipfb-aad-error.png b/windows/update/images/waas-wipfb-aad-error.png new file mode 100644 index 0000000000000000000000000000000000000000..83e6ca99744888e6371e56c4f6dc6531077ab989 GIT binary patch literal 10409 zcmcI~XIPWX*C#v{1O!y1NmEd1LMRU)H3BLi3Mxv6ND)v7NWTuwf7`uIJ`E&(|vtbUIT^;s&0MAnWgC*AZO=&`U=#c|RcPaW6UeT=OA zSXe|O|30j7%X`mRSfq80Z|gk?cG${7McErB_h@b8cf>|tIK|D+#{Dk$t=^mWjv`hc z1>TPSc+d6j_cf;%7o}5Ot-cuDkPiO(Ea9PIH2;8&(eC?fd+iI|9&PS=g$YWRD*ri^ zerx0-;|=z^`BP%H-};j|YIftb!!7V`8|-lD7y0Saq8(~(?IZ%Eb<7saYngC;w!ekM zQxV*M>2*#H(ZBRQ|HZ!&vZUUS_Ww&2tsk!brO$qR9brADKV9^4PaMbTRtMT`vo^oWRcoP@d zcZ!DR#IvpGfBW4$n=I?^0D*U9Iq*ab0_&@1{DScFIzc=0@P2`!eP^!L{ONgR&;5WRz=qf?N5ktZwpE!@ldZ^qw64KyPJ*Zj-qcn!m`d8uf z{ubq#IEiv6*NM6chXxcAy5P>X)Hd_}`154vV~*j>W?S1C{}gd7eSA@oLv(lLC-J}A z2;(v1ts@%C6~HQL(J78BA}>kocyfHB;T!9Jp4T-XSCAFJS5ymllI8Z=T<$i0Yaz|gHT!f!E6=Z#Hx0%OH)NU_w$)+VZgp@aN@5lWw&lPNjhjv4nVel&j{E^-x)B%rmgB0mTr`87{% z=#rFD+~N-?CaYi9D5MEW&>})m;*+C&&@Bg@mW{w6Smu#&W}P1szYdF9G7HeCZY5V~ zHTg~IKqJD>v9KtcKm_KLY7A`o4{A%o-14%w~_uuM#jw>Qxbv zxc#fR8gFYJAfufY+eG~RCd_9iw&^G$<9mmGhr1=k+CIQ8SZKf#cJ%5H7_;G7viZE(UxV>1O}~e* zUe#nQ;B#{TFHD&$dR zRml9@Q!~>eR0~dx-i&DdlVUU0A;3b6l9H!xk0!-6bAuYd4*N$KP-h7kI+t}or+h?5 zQSobiDX@EEvi_J!vr8${oW#SFKkb%{TR{I5vv(%rl!v6&FlC@KJT%yOby}d)7S<5n@YMHGmsV^a zqDUQ6MDQT7zx6)ldJ2T|s=ceY!>c&b)NO_wO47#`_qv{Zgt4o%;HD=%L3j4K~!W42)?%5S*J;w z$_}oIllR}Z{Wqm`ImNSiwQhy;$6<$DoYjH}sJ>X@-8_cYYyZg1OVd4u2MS-{r{_)% zZZ?4dUKFSGZ!>&br5803P$jCP5TKuPr{~UxH^1ap-pQtxT;6LX(TT2QVh%?XZwl#C zxb+1u3vk}GhCp3>-Mnd&F!0c8G`rgdfO-WYLtp=OL>99C7uED{N3M;G-`M4qB=UzL~>kP8AsoeC3V&p+L?_4UCa6CCs|l{ zaf6&$ulKCO3phmg_`7~yX?dJWuqA@Y9i^&_6jZ>-nB(e&D(b?5z7(*nR~Ne0N`Bb_ z;P}NW5*nKKiN$88gRl*}fl_ARdl)h!w(|ZErMlE|qHbP*D;usr*CvJh*1-g7cF^rH8mR)7|vI_I<;4@}O1090R!zU~u`O)G>g$ z#P(!0AC*c@Ogj*kA4F-7pUPO!|8UmM)r4PjZ}BBWa612(mFFIRSxMyR4*=CqzyQ+F zpJ65XQY}fmt*#7x0ame4IXQ?*$>WoqQW7ydlETef`bEr<5R%1(FsD1WsRnzuHf&lw zR_sHm;NKm+d&1u9w*G%-1lZM25sJ9qpOHlSyClbGf`IOzZUf-et=G2!jRzCc58#zY zAU0E`6LDk`tv=jDT^tjuA4nH?tEvt=oMwcEJX_F#Q>rPK{5Jafn&ka`GsqK*bo@4B zGvAh2WmPfK2NFW91}cD)%{W(u?-k7!n82bBafRe0;!io^K?%)b^ku|Qs+5iDm}NI$ zyB?j9gc!(a#3_)Kew?{?mhWnq`r>2{TdRWu?f1%9L@YoXYD-d^U)zX7=L7{GPT2!n z&ij2$&tqZnfe6~Kc1B6jUT$d+n|AZU{`d(5t!xM3VRultM%ca+IZV2X=d`X5kai9> zyYpSk5O_5RYkwZ~TKMMbu{&`3638o*}+WP1j$md4hsah|L`vx|#@Kna#>hC&^2 z^K*VdD>K{UyXGgIX>G-alS|6?A;RM`Ry6O}NXS-H^I*R^O{oQBT492HAuCa7MvObt#f>k!$YH|J=l zud=X+m_J+<(Kwo0fH!XdR2f@^Z@}?yKJN9?w*cyMN7LrpCn$yiCl0~&tjGU2{r@3? zIfnWFZz0fsc!0b7nql6pwJXS#u;&Z&vtH$cv-)-FANMgB?dph8p#0H_t+$uQ_EB_e zT~GTU2005EUbl_u+T2|<{E;$LN=)tY9Let3bNfJLMPIYU%z8Q=h(28vDb0LkqEFQ! z%`Se(3<5VY=ernNbVh5I@LFpaKIrGmcUJ4r^Gi+d9@L<0h{IPh&7*@JuZm2)X?>h< zSa=(B!>>1QB*ZKvgG?AY4v!RaTjEm1bR~}_YpfVzHhlK0(G9}~nSb>0J|S)qu`(XV zvE&U_j;wz!YW|Mb%OxbAp>BN8RkDsbR{pcN0~}`-#41tcQ%~(9)5-0%fA08N1`hFn9ZvH?0hBizoI#$6|Jz@~C-p)e!?Z`s%q&buF(*FIxN|9H`YP z&IW4~P4is97S=ac64%>|_V5roO21}}H;QeklB(h6OoM0bGyuui8>V^PyuR=O{y()f zD1*M?lhjbHFW}SAw1X#JI$$??98H?jURwH1LL`CX@^U0*c?yM zPwW0SpJ@LIWh`49f5eFeaEzm3Ep~>ypy*z zkkVIohfzhA(0#$Pe~1gN@Yo!7zD;|_l`Roj&r@@si50-k&7St1b7B6}9q~)9weD#G z4qGhwaEK;d#=4UmuWOx@VUv%Q$t=ZG^j+Av7Ma4{zHD>@N`|QHdgk?hofdw$I)0_+ zw1#c9(0CHLx8@D?;p6T;j6shn(YmSv9Ijlbin7s746Sjwb}5q2kyN&lGR6j>7v~&g z?MsQi*W`bU+|4QolQbI?xq8XN<%`|t0?hgS7Z5OdB$&dK;GTtF>&je*t+OL*H*uOt z#ez0_m-?kngbfPvPCKj!)w!Lk$oOPdC~wwnK)Fe|J7j+y77%tAVqTCyefKG5ElBMy z&M>}3)la3+3~f1vyd|Vn4z9}91#|`*WE-wOp$v~T5Ia6IT-_TA!F&-4Pc!_ujWc@6 zs?J6pVfe)JX7YJ|v5vQ$Ft-Mk+Y3u!c!wScdgWJ7%8jFOq0`P`-@HSe&%n=$WVdWP z&V6-eAa-~{@eO*hC2zB4_1Pr4+tNWM^^dy+8(MNAKu>NI43~-g@k$c8wCj}y44|8c z?`v0f7i;H|dTalILYA>Es1)mOzUl@@EBd22-N;}Csq|KLtUKgdYJ!Ys#vZG6`vvl^A2wB$h8e{9)6LD-~+|3S6YNloC ztGhMiQi^X2g<Lvhg)tjbt*DfW0#meU03lgC^ciYkIf;wifB0x7T9! zzS~bY>?LfAonT~HkRuN$PowofUmT|V-5}pPD=U7O0@)ihrcgUr z#*AVYzxR8unlSTnBY_|v=Arvx1d=V@?Z79UQBE@X(V`buW16f~nOr0PY*S9sO$+*q zAv5E-@PWkVfu#3+Y*6v`yj7ut7TE-bITK=iJ>CvUzA-k z4s37DWI)sC2{X0BWd=!g(~Ue`1s%jg5pzYNnTbT zE%fzrZx)JFBB$?XuBc=^2ocK$hnj8!Ja+`oBlw)0)*cO)6gx9U5Cc-&!!5T*$}i*? zrLp-!Wy~p7gm}wu?INSX3=(2)ZKoqu7eNNzGgNytvFyyl3%` z&RMZ6d8h^T{%OqdU-GbR?0f*gHfPct^*qKSkn-?`I(6sE6_$)cKCH{P&%+0&apE^! ztX}sSUlxEX3c)$eZ_ z(uq%HtWnHoBNXOc%Wa*MmKuIS^Y&{i3kI&0TaFge)V#IhKtnH*I8W)-#R~^+cEKc@ zQh92!-ZQVwx{1k~)d@8?>%pWkPn7<=Q*DQhcyJ!jE_NuKe!d+qHsGe|ss!>-dfHlo z{4Z7F5)U3|8QEtim)G?SoEKMNux@YiZWlQ%TykG{PVW@yk8=Py#wBTemtV&W4>uki z2{I&w?(yuTkg(LZ_$$ND8O+mqL9N_t?azgJNg=1bl8=53S5F9nR?ofCyBGV;p;>Xn zeLPmOcltgu{?Wq4t6I^P8M0`0zs}IS#2bCPp%*EEjmjD_eT^ZS#$Da3J#p;Wrj((( z%Whs_U$29Du1b3H2s$e#pPjybScQ7*DPnZ2VREBrwcM~&;l+G<#bqdgM8p1QNXubu zQ2&JLCpb#rdOHg2Z2LX=PHTF%fWC@O~>6N+{ zc$<2cqCC>2_M3iB)4J-~6W!(DJ*DOcAUM_ki*l(<`3Yqf>ZpCh<$DoXcm zah;lvek6QhDy7p=MVT4Z0p0HnU;3@6;LH-sF6}?hUeefo4HBG>lJ=?OInVTkHFb6N z(uz?3@+^(P;khUpPwuJ+A^)G(CE@ybc>^}4WXxh2apVspXwF7d0qepWc4v{5g8^{}hgg;%r&6(9f2^d`t&f&~Dp+nn~8;%@qA{{P%^!de+rG$T};aWVx`kQpj z@wwv*3huKPHRaywv%Ov#d>p}TKTA$gqqjMF87XyRgV!w|chPLb>FK2?qdV|rCwUlo zLeR}_AYUD2bRZ~iDUw+=f=vf3F8z7pl5k&5f#M2by$qma9moOf`FB|E6H>ZSUy9f*C(8dvSqW7|3%OaQZ zXi|(95K%c%^s{PUJf$_+OA{%kTNGbT=cAYMH2u!2knf9UD+;G|9&ADy-$8UiYxb0u z=&*wk!dDRSIZNGM z7hF(%EhfI5j3t=hlE)S&Pv5f*E5^}>=F*3;LPrmTJXWOmEg#GXgxFs%T^v8wsevmV z4xYmMY%KEKe474N#rcOH1`E|q!_|zjc9_%K)QfWfeG|O7Oql%o$o!lB7iQ}yuQ#x%FiL=NP02x|82-g-#(Bok z?qLAv9Re&Ks4q3v_JOx3U8NL_Z?uI8kPVchwaFcuMB!2^nQfz{Xz8>U~q-Sl8qvc)59JO ztSYaGLL*3guhm`bay!%%!T5}FWEGVw>GKr$Q~1AeYEHp(H*ckTiDFisRK|$;^916U z-CQXvlidE!Z`U8(KMK}3qG>(_g?2i2ebp$LOGnI*NZHDFX^P_lMr^1X9v_0as0t%^ z%Q=+2t*U9JyCK-pHGpgY8~*X4#b$_u`4lp^|FkCP39Z*95!MGY{(=65SUeV`WUA-N z^nKLOHfxBa(-S9B46gD}=+$f`qGxkFo#)Q{Q|X?wRGamS)bIy`R%a>gHk12tstP}k z3fW;HZXVtC8d$2kCLe}dZQd~W!nZ5ue!Fo1|&u1k)6;|Q8*__|-VxT7p!(ywID z`huF#mFly78&i}z|bu!De_#G zo}=iQBm)WM8V$+m(-kVBr(b%D^h}NkkIjEwe0BvI)^N4jcQv(Dgr?|=$l0|oC>M0@ z`wjaFgRzH*c10${n3(Z)TZ5N{LLApURwv1h@3_MVX}@y1JToEUiRX2fszy^dTllL+ z8*KXQYb}iXh5nq7NB5R0-o+K$CF;-jMsU4Gqf&T09-9e z`Vtat`cgt%TPWZ|(pE^U<~iBO+t)#w> z(C(InEkJTZj}qv$Czrj*VqUdG3G$n0{Opn#@ByzcVcsj$i#i`+YQh}dhqg^`$V{Sj z3lS=KrT4)4oD=2flE^hTGT@L18jLX#KA{_zz-`x`cvZ}1qJs)`y?y05Un-c#?hKfRbm?{8Nsg?baHia9mi>nvZrPJ% zsAqBiNc-PngK+(P^v^MNfHd|@7}oT%AK&zg?y9mFvi}EC0sh11VE-4%2>)RYETsMU zy^+Wjj4Njz!tMB)9rO3J4S~Twmv)Wv-P~wtn7Od@dEi@?ieHpAT&a{8!mom$4{zoGoQjgtYAK!n{HLl3D_^r;S+!IW!LE)W(U8qXFxaDZ%{A+ z%@+zk#87!%0QdtEjMR|h^z;ZJ!|srr#K*Lq%Bw*Uv4E3=0J z{5HB|^cX|VT+>*%c9F1OhNiUmk**l8oND*@@FYyQGRvx6w<^c-L!Q#YCVKDUMybdu zR;MtBg~j|?iN2v-r~hlK$Y(bXD1jS~69gLdX-P>u4?|uE#4B{CLV7=TC`lehAFzQR zxK_G7Va7w$q`vjkb%(xG8qWe6^MuaHKAsXQ zMy_QZ=Ky?8h%lw!$~&Pd9$x#_Ky-HEtzRcAc&Oar>$TdB%ySf5H9|*N@xrs+XQHXY zCD<|r4rskpy*L|y%XEBlZ&4old8P~&_t|avwF{b1boMB9!NllY{JlvJTNZBG@txQq>HZ zMxx(DMlDEJhIl>5N_!p6t#QL%%i%)e(}hsiX=CSff%s+N`9f+U=*vLm5XM5N`f<;> zj8B8u6q&fD+Nk<4>j|EX&=zuJf`=w4MBgDr9o=~kZ+n?yObWQw?R&JQYS@{ubN>Jm&VWqJKV@%u;#bAsO}@-1-I#>|(=a?$j?Xj?bbNu-XaWCYl==c5Pk4cez zYtRuY>`U~|3rAe|de21Nk&x1W=kz=0ookig2@V#Fe^_EQmw?e{|9T~#&RhTcT)O|s eeLZq$VzPakFHtT$C0O;h#rTft?F#*8;r|108stX+ literal 0 HcmV?d00001 diff --git a/windows/update/images/waas-wipfb-aad-newaad.png b/windows/update/images/waas-wipfb-aad-newaad.png new file mode 100644 index 0000000000000000000000000000000000000000..87a6f5e750a826d022683d8d4f386fabe79e70fd GIT binary patch literal 1486 zcmV;<1u^=GP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGxhX4Q_hXIe}@nrx21!GA>K~#8N?U~00R*KV0shb(8G_@u~X;hXz{r@PPGAG zztD>alK8_fexz5*pAB*h8Nhy~a}l%zZ+ty(a5CKY(4)y~0N86f6+uhz);Ei^xPF#a z@64Fvm-*Z?)3bE%gO4Py1z<1fOoVVdbn@~t&96?;wW^>~ql%tCbCr&so};HBLzZGh zM57{E*AGJ~E263#Ch86rorn-h@aFji`sm6kEpKem{O^C!r*muOi6A0$CBslwkVaG_ z>h^|$XS186vPn29QgvNm`wvTh<2fV_6_vwO-Tq}_5poi|J#&*Tt!&WT`k(aLxf|wO zcQQz@`5$Lq{|mb_M9hjOR8=Jn6ZJ9wg$Q9nT3P#j>Ks53v;-%P7UwQO75&OS)9@ z33US2WmNc|^&HI;#oUMgv@@c)r;RjpB`e;zx%l_!?#+&0+PS%Yy_g11V6Tq*EQ0tq zYZKhBUb7(fBi=@P^}!tbVj>abZv>L?@-lprUyPU5KckO1+1=A&w%VZ4niWC#;D?Ie z8BS95$5)LEPfndr_B{@Xoej*mZy&#|y{5*VXphbMwDop<+%{+2IE*Ajoj7L8<}IX6 zf~Ie7Tbko|f!i^|I+fIcB=L9-bxly08^?x0Cwp+;_Ch6yuH*YM$6>7O7;P+r*xEt8 z_;_CeDz@(WKA1>^7e2XQ5?+2H{q62$^Kv}R?*nq~rSdvmT)yLpaQxygw6OM}LAFqG z?uqxmO!l262$UC8MR;C5>!gcB(7_HDgNd#W>YA~_YxOuDVY2)EcuxS84Bl8lU31Qm z7oqJt7D4x&mfGH%H$RUt@;LOIqk4bd`Ej~sA`u=q{8aPp|L(U-bo$0RZEpQ-j^$S( zErL7&7UaeG>RKa#Y>nR(>JJix4Ki zPS&{i(pvH&wEgWsgs9j)^_+YXB1B&Vtx&NDI%fHM=$eUNmbDCmyeo(dlI%_dCqZ%P zcJp-jHxjsoOObAM(jrMCB}Sfv2;p3|5y7@k z$RwC~=!DO`BiLB$e!X$*hiFX;erc8$=Qy_g(1{3wli^tXhcnp%%`U!9GuNM`GrVP* zSOO+mD2H1x`_qG8njqK7Zwe=pbe0t%Y%e8|d}iEqQc9Oi|8)Y|qLZf{p&mQBzbJ7n zMru`(F{zW>FX3Fb5kYWsbS09~mA3C@eob3Hmfje4&`1Q^cRIFx(3uFrp~sFi2|qPj zF~1O9x&5AzVp0jf0YgO4()CQIA_$=j!i#6GK?1M~65G0->0AUs%YY{V*bQ!5mEP|4 zM=v4>B7^*~?C^$8{|Sfy00R*KU?2hj3`78cfd~LF5CH%NA^^ZZ1OOO_ o0009K0AL^j01QL`U@)M606o5J$(>}@kN^Mx07*qoM6N<$f-Nqv9{>OV literal 0 HcmV?d00001 diff --git a/windows/update/images/waas-wipfb-aad-newdirectorybutton.png b/windows/update/images/waas-wipfb-aad-newdirectorybutton.png new file mode 100644 index 0000000000000000000000000000000000000000..9da18db5d14ce2fad942cc1ca8557749650ce216 GIT binary patch literal 1005 zcmVPx#1ZP1_K>z@;j|==^1poj532;bRa{vGxhX4Q_hXIe}@nrx21A<9JK~#8N?U=ud z6G0Tm?;o?+F3q++Ch)ORIm0ln!y+BlY zfovuH;^L2aK6+tp-nwmW9G{pcPoJ6d^R<7f96G(FL++is_el7|M~_K3#N%GYUk!Rm zUo3wG;U7PJ_N|6KL;Rb!XTC)_WO_+QW<&UwuixkZaAu?2bD3|V8lO-fy2h1n?Z9Gg z2FDZA;|-c?)aM1ya&~G4vqkvaYn@k!&e9>7g@6C?Gn9Am?)`_>Oiu&2oXvYl+)$ZO zhXb$=>3gM`9Ml2oEFIYl;V9)0jxvu-hj85AA3UHwIkuHhN2TwBR_Tz4tVWgtDVT*L z!}-1uZ2I`rOp|!VL55J#$G$_)P~L}gv!v&nuZXA&bGr|$lP>x<23(FgF;lS~xi%Wl zR;PjOC);>lZX;-~{u$OS@5BBUW;*0Hdqq_c^UmG6hW2xG$lZIp(kLCWkN6>dOHYqkCGXRpYNf~H73eu_71|xYtJlo)eaKGd*1zZ3(!rTGi`&7D|C#;RY zIDY)5-#_F&YxBDCDzwlhX6A?+T&nx#>8$-O?IDSuR($f--U(TfP z)-v7^8ASKl26Bu|d)WvA2dPmy`sOk?9v@_-N8>uWOYb&sU>E5j0r=~|iu6R=jw#Xdn zD*~5fBn4cI!S{6epyVXgrCXwP{o@z8=zS+H%$puWZjTNt+IXLQ?=K-UC*7?xUtP8# zD;=erL58z%J`BnwlN|hAsYz$SDCx*@{AA%c0LtZqN>j`J9jHkM5KLvqUiglOeC0pD zUq5^LE@!gR8T?a5v-|qdDqXprsPqC+=>?+F3q++Ch)ORIm0ln!y+BlYfgG(?E2CFQ b*UJ0_K8tdJSsA;E00000NkvXXu0mjfMy1)~ literal 0 HcmV?d00001 diff --git a/windows/update/images/waas-wipfb-aad-newenable.png b/windows/update/images/waas-wipfb-aad-newenable.png new file mode 100644 index 0000000000000000000000000000000000000000..f9bbe57b266e83e28d76ee7776eb907ec9266d6c GIT binary patch literal 2757 zcma)7c{tQ-8~!;d6xkv|s4>0{LORG{P%>GDvc!yo8jOU5#*wkL2x+m!Af%HdyRnsK zlx7eUIh|p~*s`T&DQ3gW@J;9Y=lkbe*ZJdJp67kv=YFo|dhh$mKJ5Wj*tu^f000Uu zr<}Y1Knf?>JIn6)F_V%?B#TtM7xXyLIIR6eVn~NO!W;ph<^C?w`Rx*0?(!*kJOJoq z{uomC7gxdnU?;-G$1L{}HKruc=_Hyq+%X(OJ$_s*A&aea`l4s_PC%VVu2jGcwim z#w6ZXUtfU`*1n-50|2LwWoZI{k0Mf%GUWzV3UJ`*p(Jj*e{z>xPWiOoK6zodXyqlM zaSAsNWv_4;iTEqwsX2M!td%B|6YVS=)$&7@ z!wZU97zS{CFj*u$`;J&+3c5z_QIm#!MD@#>(-WPW`J{EK^%!>M5ter|@u$dOs%d~# zoBGw1tGY+Z&>`E?G4J`o7JZC#*sY8OYK2!)HEx%s>hMNE9-{BVdor&VssP#m?p^s(NWHD%)FI`)_q zIwLjm{YYcX#|l=CKp6tO8*{j@ftu%uuHM@CBF>JTux3I+1$W@yM0ud^N9BXPt|MUN zHeFxcg5b|q-z<`j1T3X+ZoYVob?Nnk)Su=pLGnTi{0->U@Uo+oik}hNWA!GX2ibEqt0(HBFA`wFyvjS*;HH$mZd{_f{-~G+u>tt52Q!mz_O$y z^m#qyK;{Dy_}NQ(C=4L^+n23&L&*RzJAM6M5bYmnscq|7VS8+Ob&iyC!=z3U>h+t0 za$Dt#WjBnEbe`C5z7067heH2=_>U6K#!&*eCktNAbRaiQ&RzJlRreycxTc1^3J%)8 z=OV$Xn9b$>Iik)lh4EcBxNHWc3!(jj1lI9en77{|i8rityMjfler!S7+8@HXoX(c* zXQj;RREbduyM4%w>g)?;nu#@7OkBUPEgu`L^pP=M*tgG|OVwwT$w&nAUoCrnixvrw5Tn1L z@87eVKwm11NttOwk0zW`Jc<}_UDVwYfe^hKxNKTo(^NQn3?IWFh$irLj0AtwUfiO$ zVD?isCPAm^pw)=yB<)BLGb<*Te8ua6xm=J?RuMf8ey8V_Ygg(tH59S044d403UZ=V zlV!Yo?0HZ7j8Z2e)665jA+0tivAiSRw4t1Ik5v$;)%06r@V00b`d`|2VM^L)Jm02v zJ@R%c*Jfw5@nEo9?JzRRnLjxl%nJH~MQ*Kf!;C4G$g;a(pX)WLrba;>?6*TR88#Z> z!v!>9%tOq2#P4D@Bc_!RSR9>23rUNyvnC9%DZ)djmGdLI!~Vq&t`UvK3HUd-i%{SmI+sM`CiraVhrCW{~gQeU+H zg`3=W)u6jK5z+O8YO`)8{j|iJyjno@V^`bNvbv%cLlX#BhB(lYM4e~Y2P!^Qhr#t# zM0&mf`kx098D<8+aa)cp1Ta`=y|Gy zA$ z{f8e6Pi=p-?n;}%N4b$Fc^Med_gc4&Fp@iw{pPJd`Ou}q33{maZ|iiIb7x%@(}cN} zicKDECI_?MgFo+Z(XiAnS%Cg3D2(zTeX_?@BW zo7CWepZbtkDPqig@)m)RhBI4v!ZlAxr7~$GPwRpP%F%w({CXl z&&02qpE5*wjh9pR6|vpR=a!IA)9ihH%;T!}y(Mt-sH;%sC{&Mfn;t@tJ`_ zYC~{>KI(nH-Uh?@Sh>!Cj2-~AH!GOai;r|;S;~?wk^Z+Z$^#D9uoO8-k9g!j{wn?d z8V>rT8<+Pa?OB+wk_7-f+b?M-z;hYNjr6ZSwEa=izjP1AvbTW6(fm|8LJ|Q0Tuyp8 JH6A~A{lBPdU^)N* literal 0 HcmV?d00001 diff --git a/windows/update/images/waas-wipfb-aad-newusersettings.png b/windows/update/images/waas-wipfb-aad-newusersettings.png new file mode 100644 index 0000000000000000000000000000000000000000..ab28da5cbcf18a4a24de856fa290f458d328db8e GIT binary patch literal 847 zcmV-V1F-ywP)Px#1ZP1_K>z@;j|==^1poj532;bRa{vGxhX4Q_hXIe}@nrx20^~_VK~#8N?U+An zR6!I+{X#Z&+E^JuEJU!dF`x*7gRIH6!#}5!cz{q*~ ze&KqZP4>Q7+?Vwp81m-Noq3r#J2SfnN|FRfVUiFjOcEl6NkXJBNr)6C36a7iAySwm z#N35>`1naVa`aev{pM|7k}MO=!fb8*?4KqaKY6+wJao8|Mr?2Y`m0^CKWP#M2_(qc z{q=I?>b34!iTur5cRP7VDb4<;Nf>qxE68psg;@@ok0f@Gnjk*WZV1GBRxeyC8}C2% zxpA`o;89sQajMTP56!~ZV~FGF-NuJ*=i#r8E7F;>=lX~kV-<$+c@N?9%gSJ3o<4ig zNgyFepFV%-YbS67*?QV@*NH%!CxuxYgN3moD6zA6xV!jv5o+zNFl_zm_xg?7T^Vp3 zsQmfMS6vx@X+vFYaj8=b{lezAA3J3v@{DcE?%Z4ZBhNS*3+PKn6!rF~vi(y|jD26# zjYY=6!qo0AUpK$^wG+tOdgS4Enh3;sBn*>nCtp~hKy9=D#CfLe5O#dx)W)~>c`u9| zmv)kZchj@vQNH%SFPi2%jJ>DutZzcda{l7wojQ)A+77fAwMk>bB?J?07Ya0{O|-X* zSc7)9o*3T`Np%rnv}1wtHR0_JLw~go#3E@HhC7L$P%DuVm*XKYVSY#OWm;G*5YILC z5(a2PJPYb2u*^#s-@g?GwChZJkAF>*Fzgt$JIb^)T7Mc42L~ z7IHUXh_x~FT`RZo^h=o**yd*y#`aGT?V}6NdAc*cPh&5D}{|!DI zR{XKiER08Yn&|H>$z%s)?#9gAg-K%g<5oxESV>`$5GhO&B85ppq%cW{6ebCg!XyDo Z`3*V|tP-=xhaCU_002ovPDHLkV1mf)f%^ae literal 0 HcmV?d00001 diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md index bf612c952c..45e3e49b28 100644 --- a/windows/update/waas-windows-insider-for-business.md +++ b/windows/update/waas-windows-insider-for-business.md @@ -20,7 +20,7 @@ localizationpriority: high For many IT pros, gaining visibility into feature updates early—before they’re available to the CB servicing branch—can be both intriguing and valuable for future end user communications as well as provide additional prestaging for CB machines. With Windows 10, feature flighting enables Windows Insiders to consume and deploy preproduction code to their test machines, gaining early visibility into the next build. Testing the early builds of Windows 10 helps both Microsoft and its customers because they have the opportunity to discover possible issues before the update is ever publicly available and can report it to Microsoft. Also, as flighted builds get closer to their release to CB, organizations can test their deployment on test devices for compatibility validation. The Windows Insider Program for Business gives you the opportunity to: -* Get early access to Windows Insider Preview Builds +* Get early access to Windows Insider Preview Builds. * Provide feedback to Microsoft in real-time via the Feedback Hub app. * Sign-in with corporate credentials (Azure Active Directory) and increase the visibility of your organization's feedback with Microsoft – especially on features that support your productivity and business needs. @@ -56,9 +56,8 @@ Best for Insiders who enjoy getting early access to updates for the Current Bran Insiders on this level receive builds of Windows just before Microsoft releases them for CB. Although these builds aren’t final, they are the most complete and stable builds available to Windows Insider Program participants. This level provides the best testing platform for organizations that conduct early application compatibility testing on Windows Insider PCs. -* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch -* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows -Ring +* The Release Preview Ring will only be visible when your Windows build version is the same as the Current Branch. +* The easiest way to go between the Development Branch to the Current Branch is to use the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) (for PC) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) (for Mobile) to reinstall Windows. ### Slow @@ -70,11 +69,12 @@ The Slow Windows Insider level is for users who enjoy seeing new builds of Windo ### Fast -Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great +Best for Insiders who enjoy being the first to get access to builds and feature upgrades, with some risk to their devices in order to identify issues, and provide suggestions and ideas to make Windows software and devices great. * Windows Insiders with devices in the Fast Ring should be prepared for more issues that may block key activities that are important to you or may require significant workarounds. * Because we are also validating a build on a smaller set of devices before going to Fast, there is also a chance that some features may work on some devices but may fail in other device configurations. -* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. • Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum +* Windows Insiders should be ready to reinstall Windows using the [Media Creation Tool](http://go.microsoft.com/fwlink/?LinkId=691209) or [Windows Device Recovery Tool](http://go.microsoft.com/fwlink/p/?LinkId=522381) when you are significantly blocked. +* Please remember to report any issue to us through the Windows Insider Feedback Hub or the Windows Insider community Forum. >[!NOTE] >Once your machine is updated to Windows 10 and you select your desired flight ring, the process known as "Compatibility check" will need to run in the background. There is no manual way to force this process to run. This process allows for the discovery of your OS type (32-bit, 64-bit), build edition (Home, Pro, Enterprise), country and language settings, and other required information. Once this process is complete, your machine will be auto-targeted for the next available flight for your selected ring. For the first build on any given machine, this may take up to 24 hours to complete. @@ -85,11 +85,11 @@ During your time in the Windows Insider Program, you may want to change between 1. Go to **Settings > Updates & Security > Windows Insider Program** 2. Under **Choose your level**, select between the following rings - - * [Windows Insider Fast](#fast) - * [Windows Insider Slow](#slow) - * [Release Preview](#release-preview) + * [Windows Insider Fast](#fast) + * [Windows Insider Slow](#slow) + * [Release Preview](#release-preview) -## How to switch between you MSA and your Corporate AAD account +## How to switch between your MSA and your Corporate AAD account The Windows Insider Program for Business now gives users the option to register and enroll devices using a corporate account in [Azure Active Directory](https://azure.microsoft.com/services/active-directory/) (AAD) as well as their Microsoft Account (MSA). @@ -108,11 +108,16 @@ When providing feedback, please consider the following: 3. Provide as much information to us as possible: include reproduction steps, screenshots, any detail you think would help us experience the issue as you have, so that we can work on a fix and get it into a new build as soon as possible. ### How to use your corporate AAD account for additional Feedback Hub benefits -Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that are using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization. +Get even more out of the Feedback Hub by signing in to the Feedback Hub using the same corporate account in AAD that you're using to flight builds. One of the benefits of submitting feedback using your AAD account is the addition of a page to the Feedback Hub for your organization. Simply click the **My Company** page in the feedback hub to see and upvote all feedback submitted by other Insiders in your organization. >[!NOTE] >If you signed into the Feedback Hub previously with your MSA, your feedback and badges will not be transferred to your AAD sing-in. However, you can switch back to your MSA account in the Feedback Hub to access feedback you’ve submitted and badges you’ve earned. +>[!IMPORTANT] +>With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again. +> +> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [stub](waas-windows-insider-for-business-aad.md#user-consent-requirement). + ## Not receiving Windows 10 Insider Preview build updates? In some cases, your PC may not update to the latest Insider Preview build as expected. Here are items that you can review to troubleshoot this issue: From cc737c8f29255a1f335be0a08b9990ccaee12c21 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 14:46:39 -0700 Subject: [PATCH 05/14] fixed some typos --- .../waas-windows-insider-for-business-aad.md | 43 ++++++++++++++++++- .../waas-windows-insider-for-business-faq.md | 5 ++- 2 files changed, 44 insertions(+), 4 deletions(-) diff --git a/windows/update/waas-windows-insider-for-business-aad.md b/windows/update/waas-windows-insider-for-business-aad.md index f749ef1c36..440c4b8bfc 100644 --- a/windows/update/waas-windows-insider-for-business-aad.md +++ b/windows/update/waas-windows-insider-for-business-aad.md @@ -37,12 +37,11 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc ## Enroll a device with an Azure Active Directory account 1. Visit [insider.windows.com](https://insider.windows.com). Sign-in with your corporate account in AAD and follow the on-screen registration directions. 2. On your Windows 10 device, go to **Settings > Updates & Security > Windows Insider Program**. +3. Enter the AAD account that you used to register and follow the on-screen directions. >[!NOTE] >Make sure that you have administrator rights to the machine and that it has latest Windows updates. -3. Enter the AAD account that you used to register and follow the on-screen directions. - ## Switch device enrollment from your Microsoft account to your AAD account 1. Visit [insider.windows.com](https://insider.windows.com) to register your AAD account. If you are signed in with your Microsoft account, sign out, then sign back in with your corporate AAD account. 2. Click **Get started**, read and accept the privacy statement and program terms and click **Submit**. @@ -55,6 +54,46 @@ Simply go to **Settings > Accounts > Access work or school**. If a corporate acc >[!NOTE] >Your device must be connected to your corporate account in AAD for the account to appear in the account list. +## User consent requirement + +With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions, like this: + +![Feedback Hub consent to AAD pop-up](images/waas-wipfb-aad-consent.png) + +Once agreed, everything will work fine and that user won't be asked for permissions again. + +### Something went wrong + +The option for users to give consent for apps to access their profile data is controlled through Azure Active Directory. This means the AAD administrators have the ability to allow or block users from giving consent. + +In case the administrators blocked this option, when the user signs in with the AAD account, they will see the following error message: + +![Feedback Hub consent error message](images/waas-wipfb-aad-error.png) + +This blocks the user from signing in, which means they won't be able to use the Feedback Hub app with their AAD credentials. + +**To fix this issue**, an adminsitrator of the AAD directory will need to enable user consent for apps to access their data. + +To do this through the **classic Azure portal**: +1. Go to https://manage.windowsazure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure classic portal dashboard button](images/waas-wipfb-aad-classicaad.png) +3. Select the appropriate directory and go to the **Configure** tab. +4. Under the **integrated applications** section, enable **Users may give applications permissions to access their data**. + ![Azure classic portal enable consent](images/waas-wipfb-aad-classicenable.png) + +To do this through the **new Azure portal**: +1. Go to https://portal.azure.com/ . +2. Switch to the **Active Directory** dashboard. + ![Azure new portal dashboard button](images/waas-wipfb-aad-newaad.png) +3. Switch to the appropriate directory. + ![Azure new portal switch directory button](images/waas-wipfb-aad-newdirectorybutton.png) +4. Under the **Manage** section, select **User settings**. + ![Azure new portal user settings](images/waas-wipfb-aad-newusersettings.png) +5. In the **Enterprise applications** section, enable **Users can allow apps to access their data**. + ![Azure new portal enable consent](images/waas-wipfb-aad-newenable.png) + + ## Frequently Asked Questions ### Will my test machines be affected by automatic registration? diff --git a/windows/update/waas-windows-insider-for-business-faq.md b/windows/update/waas-windows-insider-for-business-faq.md index 653d6d5c93..249b9c95ee 100644 --- a/windows/update/waas-windows-insider-for-business-faq.md +++ b/windows/update/waas-windows-insider-for-business-faq.md @@ -31,11 +31,12 @@ Hindi, Catalan, and Vietnamese can only be installed as a language pack over [su > To learn how to install a language pack, see [How to add an input language to your PC Additional](https://support.microsoft.com/instantanswers/60f32ff8-8697-4452-af7d-647439c38433/how-to-add-and-switch-input-languages-on-your-pc). ### How do I register for the Windows Insider Program for Business? -To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account \that you use for Office 365 and other Microsoft services. +To register for the Windows Insider Program for Business, follow the steps below using your corporate account in Azure Active Directory (AAD). This account is the same account that you use for Office 365 and other Microsoft services. 1. Visit https://insider.windows.com and click **Get Started**. 2. Sign-in with your corporate account in AAD (username/password) and follow the on-screen registration directions. -3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. +3. Enroll your Windows 10 PC to get the latest Windows 10 Insider Preview builds. Go to **Settings > Updates & Security > Windows Insider Program**. Click **Get Started**, enter your corporate credentials that you used to register, then follow the on-screen directions. + >[!NOTE] >Make sure that you have administrator rights to your machine and that it has latest Windows updates. From fa51ba29b0efc66c8eae7b707d17163076e2606b Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 15:36:57 -0700 Subject: [PATCH 06/14] fixed typo --- windows/update/waas-windows-insider-for-business.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/update/waas-windows-insider-for-business.md b/windows/update/waas-windows-insider-for-business.md index 45e3e49b28..802fb3b122 100644 --- a/windows/update/waas-windows-insider-for-business.md +++ b/windows/update/waas-windows-insider-for-business.md @@ -116,7 +116,7 @@ Get even more out of the Feedback Hub by signing in to the Feedback Hub using th >[!IMPORTANT] >With the current version of the Feedback Hub app, we need the user's consent to access their AAD account profile data (We read their name, organizational tenant ID and user ID). When they sign in for the first time with the AAD account, they will se a popup asking for their permissions. Once agreed, everything will work fine and that user won't be asked for permissions again. > -> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [stub](waas-windows-insider-for-business-aad.md#user-consent-requirement). +> If something goes wrong, it is possible that users aren't enabled to give persmissions to access their data. This can be resolved through the AAD portal. For more information about this, please see [User consent requirement](waas-windows-insider-for-business-aad.md#user-consent-requirement). ## Not receiving Windows 10 Insider Preview build updates? From 185177a7fd64ddee26a440982f9424825d68527d Mon Sep 17 00:00:00 2001 From: jamiejdt Date: Wed, 5 Apr 2017 15:44:20 -0700 Subject: [PATCH 07/14] Update AGPM 4.0 SP3 support table --- .../choosing-which-version-of-agpm-to-install.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/mdop/agpm/choosing-which-version-of-agpm-to-install.md b/mdop/agpm/choosing-which-version-of-agpm-to-install.md index e79ec15b6e..a3062b6238 100644 --- a/mdop/agpm/choosing-which-version-of-agpm-to-install.md +++ b/mdop/agpm/choosing-which-version-of-agpm-to-install.md @@ -50,31 +50,37 @@ Table 1 lists the operating systems on which you can install AGPM 4.0 SP3, and

Supported

+

Windows Server 2012 R2

+

Windows 10

+

Supported with the caveats outlined in [KB 4015786](https://support.microsoft.com/en-us/help/4015786/known-issues-managing-a-windows-10-group-policy-client-in-windows-serv) +

+ +

Windows Server 2012 R2 or Windows 8.1

Windows Server 2012 R2 or Windows 8.1

Supported

- +

Windows Server 2012 R2, Windows Server 2012, or Windows 8.1

Windows Server 2012 or Windows 8.1

Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1

- +

Windows Server 2008 R2 or Windows 7

Windows Server 2008 R2 or Windows 7

Supported, but cannot edit policy settings or preference items that exist only in Windows 8.1

- +

Windows Server 2012, Windows Server 2008 R2, or Windows 7

Windows Server 2008 or Windows Vista with Service Pack 1 (SP1)

Supported, but cannot edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7

- +

Windows Server 2008 or Windows Vista with SP1

Windows Server 2012, Windows Server 2008 R2, Windows 8, or Windows 7

Not supported

- +

Windows Server 2008 or Windows Vista with SP1

Windows Server 2008 or Windows Vista with SP1

Supported, but cannot report or edit policy settings or preference items that exist only in Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, Windows 8.1, or Windows 7

From fbc27121420a81e1f675d9556f20079d7a8e6555 Mon Sep 17 00:00:00 2001 From: Iaan D'Souza-Wiltshire Date: Wed, 5 Apr 2017 15:51:25 -0700 Subject: [PATCH 08/14] branding --- windows/keep-secure/troubleshoot-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md index 454f8c8257..4e7c275117 100644 --- a/windows/keep-secure/troubleshoot-windows-defender-antivirus.md +++ b/windows/keep-secure/troubleshoot-windows-defender-antivirus.md @@ -1029,7 +1029,7 @@ Description of the error.
Engine Version: <Antimalware Engine version>

NOTE:

Whenever Windows Defender, Microsoft Security Essentials, Malicious Software Removal Tool, or System Center Endpoint Protection detects a malware, it will restore the following system settings and services which the malware might have changed:

    -
  • Default Internet Explorer or Edge setting
    • +
  • Default Internet Explorer or Microsoft Edge setting
  • User Access Control settings
  • Chrome settings
  • Boot Control Data
    • From 95661d6ab8f131049172ac0b752abad2d777bd46 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 15:59:51 -0700 Subject: [PATCH 09/14] added wipfb to change history --- windows/update/change-history-for-update-windows-10.md | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/update/change-history-for-update-windows-10.md index d1a178004f..bfee7b36f4 100644 --- a/windows/update/change-history-for-update-windows-10.md +++ b/windows/update/change-history-for-update-windows-10.md @@ -15,5 +15,10 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc ## RELEASE: Windows 10, version 1703 -The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). +The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: +* [Windows Insider Program for Business](waas-windows-insider-for-business.md) +* [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) +* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) + + From f4f4cf4887e0fbd66a6eedbc6439c0d2fb329f55 Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 16:05:28 -0700 Subject: [PATCH 10/14] last changes to Index and change history --- windows/update/change-history-for-update-windows-10.md | 5 +---- windows/update/index.md | 1 + 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/windows/update/change-history-for-update-windows-10.md b/windows/update/change-history-for-update-windows-10.md index bfee7b36f4..97ece9af22 100644 --- a/windows/update/change-history-for-update-windows-10.md +++ b/windows/update/change-history-for-update-windows-10.md @@ -18,7 +18,4 @@ This topic lists new and updated topics in the [Update Windows 10](index.md) doc The topics in this library have been updated for Windows 10, version 1703 (also known as the Creators Update). The following new topics have been added: * [Windows Insider Program for Business](waas-windows-insider-for-business.md) * [Windows Insider Program for Business using Azure Active Directory](waas-windows-insider-for-business-aad.md) -* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) - - - +* [Windows Insider Program for Business Frequently Asked Questions](waas-windows-insider-for-business-faq.md) \ No newline at end of file diff --git a/windows/update/index.md b/windows/update/index.md index 4346995b12..18f0e7fcdd 100644 --- a/windows/update/index.md +++ b/windows/update/index.md @@ -41,6 +41,7 @@ Windows as a service provides a new way to think about building, deploying, and | [Manage Windows 10 updates using Windows Server Update Services (WSUS)](waas-manage-updates-wsus.md) | Explains how to use WSUS to manage Windows 10 updates. | | [Manage Windows 10 updates using System Center Configuration Manager](waas-manage-updates-configuration-manager.md) | Explains how to use Configuration Manager to manage Windows 10 updates. | | [Manage device restarts after updates](waas-restart.md) | Explains how to use Group Policy to manage device restarts. | +| [Windows Insider Program for Business](waas-windows-insider-for-business.md) | Explains how the Windows Insider Program for Business works and how to become an insider. | >[!TIP] >Windows servicing is changing, but for disaster recovery scenarios and bare-metal deployments of Windows 10, you still can use traditional imaging software such as System Center Configuration Manager or the Microsoft Deployment Toolkit. Using these tools to deploy Windows 10 images is similar to deploying previous versions of Windows. From 4e40b46d9121c251db0cf159d6c99cf8000c18cf Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 5 Apr 2017 16:07:41 -0700 Subject: [PATCH 11/14] added PS examples --- ...iew-of-threat-mitigations-in-windows-10.md | 60 +++++++++++++++++-- 1 file changed, 56 insertions(+), 4 deletions(-) diff --git a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md index 9dba460da4..3b315d321b 100644 --- a/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/keep-secure/overview-of-threat-mitigations-in-windows-10.md @@ -58,7 +58,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta | **Enterprise certificate pinning**
    helps prevent
    man-in-the-middle attacks
    that leverage PKI | Enterprise certificate pinning enables you to protect your internal domain names from chaining to unwanted certificates or to fraudulently issued certificates. With enterprise certificate pinning, you can “pin” (associate) an X.509 certificate and its public key to its Certification Authority, either root or leaf.

    **More information**: [Enterprise Certificate Pinning](enterprise-certificate-pinning.md) | | **Device Guard**
    helps keep a device
    from running malware or
    other untrusted apps | Device Guard includes a Code Integrity policy that you create; a whitelist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which leverages virtualization-based security (VBS) to protect Windows’ kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
    Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

    **More information**: [Introduction to Device Guard](introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies.md) | | **Windows Defender Antivirus**,
    which helps keep devices
    free of viruses and other
    malware | Windows 10 includes Windows Defender Antivirus, a robust inbox antimalware solution. Windows Defender Antivirus has been significantly improved since it was introduced in Windows 8.

    **More information**: [Windows Defender Antivirus](#windows-defender-antivirus), later in this topic | -| **Blocking of untrusted fonts**
    helps prevent fonts
    from being used in
    elevation-of-privilege attacks | The Block Untrusted Fonts setting allows you to prevent users from loading untrusted fonts onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

    **More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | +| **Blocking of untrusted fonts**
    helps prevent fonts
    from being used in
    elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](https://msdn.microsoft.com/library/windows/desktop/mt595898(v=vs.85).aspx) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

    **More information**: [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md) | | **Memory protections**
    help prevent malware
    from using memory manipulation
    techniques such as buffer
    overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
    A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

    **More information**: [Table 2](#table-2), later in this topic | | **UEFI Secure Boot**
    helps protect
    the platform from
    bootkits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

    **More information**: [UEFI and Secure Boot](bitlocker-countermeasures.md#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
    helps protect
    the platform from
    rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the antimalware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

    **More information**: [Early Launch Antimalware](bitlocker-countermeasures.md#protection-during-startup) | @@ -199,7 +199,7 @@ In Windows 10 and Windows Server 2016, client connections to the Active Director ### Protected Processes -Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on any malware that might be running. Protected Processes creates limits of this type. +Most security controls are designed to prevent the initial infection point. However, despite all the best preventative controls, malware might eventually find a way to infect the system. So, some protections are built to place limits on malware that gets on the device. Protected Processes creates limits of this type. With Protected Processes, Windows 10 prevents untrusted processes from interacting or tampering with those that have been specially signed. Protected Processes defines levels of trust for processes. Less trusted processes are prevented from interacting with and therefore attacking more trusted processes. Windows 10 uses Protected Processes more broadly across the operating system, and as in Windows 8.1, implements them in a way that can be used by 3rd party anti-malware vendors, as described in [Protecting Anti-Malware Services](https://msdn.microsoft.com/library/windows/desktop/dn313124(v=vs.85).aspx). This helps make the system and antimalware solutions less susceptible to tampering by malware that does manage to get on the system. @@ -207,7 +207,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti When users download Universal Windows apps from the Windows Store, it’s unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. -Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Unlike Windows Classic applications, which can run with elevated privileges and have potentially sweeping access to the system and data, Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. +Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. In addition, all Universal Windows apps follow the security principle of least privilege. Apps receive only the minimum privileges they need to perform their legitimate tasks, so even if an attacker exploits an app, the damage the exploit can do is severely limited and should be contained within the sandbox. The Windows Store displays the exact capabilities the app requires (for example, access to the camera), along with the app’s age rating and publisher. @@ -365,7 +365,59 @@ One of EMET’s strengths is that it allows you to import and export configurati Install-Module -Name ProcessMitigations ``` -The ConvertTo-ProcessMitigationPolicy cmdlet can: +The Get-ProcessMitigation cmdlet gets the current mitigation settings from the registry or from a running process, or it can save all settings to an XML file. + +To get the current settings on all running instances of notepad.exe: + +```powershell +Get-ProcessMitigation -Name notepad.exe -RunningProcess +``` + +To get the current settings in the registry for notepad.exe: + +```powershell +Get-ProcessMitigation -Name notepad.exe +``` + +To get the current settings for the running process with pid 1304: + +```powershell +Get-ProcessMitigation -Id 1304 +``` + +To get the all process mitigation settings from the registry and save them to the xml file settings.xml: + +```powershell +Get-ProcessMitigation -RegistryConfigFilePath settings.xml +``` + +The Set-ProcessMitigation cmdlet can enable and disable process mitigations or set them in bulk from an XML file. + +To get the current process mitigation for "notepad.exe" from the registry and then enable MicrosoftSignedOnly and disable MandatoryASLR: + +```powershell +Set-ProcessMitigation -Name Notepad.exe -Enable MicrosoftSignedOnly -Disable MandatoryASLR +``` + +To set the process mitigations from an XML file (which can be generated from get-ProcessMitigation -RegistryConfigFilePath settings.xml): + +```powershell +Set-ProcessMitigation -PolicyFilePath settings.xml +``` + +To set the system default to be MicrosoftSignedOnly: + +```powershell +Set-ProcessMitigation -System -Enable MicrosoftSignedOnly +``` + +The ConvertTo-ProcessMitigationPolicy cmdlet converts mitigation policy file formats. The syntax is: + +```powershell +ConvertTo-ProcessMitigationPolicy -EMETFilePath -OutputFilePath [] +``` + +Examples: - **Convert EMET settings to Windows 10 settings**: You can run ConvertTo-ProcessMitigationPolicy and provide an EMET XML settings file as input, which will generate an output file of Windows 10 mitigation settings. For example: From c1e5aae7f2ceb310c2fa198e013602438e2303de Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 16:26:33 -0700 Subject: [PATCH 12/14] waas-configure-wufb fixed 60 -> 35 mention pause --- windows/update/waas-configure-wufb.md | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md index e3b47b2f2f..565725e1c2 100644 --- a/windows/update/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -84,11 +84,11 @@ After you configure the servicing branch (CB or CBB), you can then define if, an ## Pause Feature Updates -You can also pause a device from receiving Feature Updates by a period of up to 60 days from when the value is set. After 60 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. +You can also pause a device from receiving Feature Updates by a period of up to 35 days from when the value is set. After 35 days has passed, pause functionality will automatically expire and the device will scan Windows Update for applicable Feature Updates. Following this scan, Feature Updates for the device can then be paused again. -Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 60 days to the start date. +Starting with version 1703, when configuring pause through policy, a start date has to be set from which the pause begins. The pause period will be calculated by adding 35 days to the start date. -In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 60 days by configuring a later start date. +In cases where the pause policy is first applied after the configured start date has passed, administrators will be able to extend the pause period up to a total of 35 days by configuring a later start date. With version 1703, pausing through the settings app will provide a more consistent experience: - Any active restart notification are cleared or closed @@ -98,6 +98,8 @@ With version 1703, pausing through the settings app will provide a more consiste >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. +> +>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has be changed to 35, similar to the number of days for quality updates. **Pause Feature Updates policies** @@ -110,7 +112,7 @@ With version 1703, pausing through the settings app will provide a more consiste You can check the date Feature Updates were paused at by checking the registry key **PausedFeatureDate** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. -The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 60 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. +The local group policy editor (GPEdit.msc) will not reflect if your Feature Update Pause period has expired. Although the device will resume Feature Updates after 35 days automatically, the pause checkbox will remain checked in the policy editor. To see if a device has auto-resumed taking Feature Updates, you can check the status registry key **PausedFeatureStatus** under **HKLM\SOFTWARE\Microsoft\WindowsUpdate\UpdatePolicy\Settings**. | Value | Status| | --- | --- | From 2a3f438973da2b56561a06452dcae630161671cf Mon Sep 17 00:00:00 2001 From: Dani Halfin Date: Wed, 5 Apr 2017 16:33:42 -0700 Subject: [PATCH 13/14] fixed typo --- windows/update/waas-configure-wufb.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/update/waas-configure-wufb.md b/windows/update/waas-configure-wufb.md index 565725e1c2..03aeba51b9 100644 --- a/windows/update/waas-configure-wufb.md +++ b/windows/update/waas-configure-wufb.md @@ -99,7 +99,7 @@ With version 1703, pausing through the settings app will provide a more consiste >[!IMPORTANT] >This policy does not apply to Windows 10 Mobile Enterprise. > ->Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has be changed to 35, similar to the number of days for quality updates. +>Prior to Windows 10, version 1703, feature updates could be paused by up to 60 days. This number has been changed to 35, similar to the number of days for quality updates. **Pause Feature Updates policies** From 96c474d1ef5be136b3492cb5e73007b1cc8fccb4 Mon Sep 17 00:00:00 2001 From: Justinha Date: Wed, 5 Apr 2017 16:57:53 -0700 Subject: [PATCH 14/14] removed table --- .../bitlocker-frequently-asked-questions.md | 43 +++---------------- 1 file changed, 6 insertions(+), 37 deletions(-) diff --git a/windows/keep-secure/bitlocker-frequently-asked-questions.md b/windows/keep-secure/bitlocker-frequently-asked-questions.md index 3e39f7390e..01c1fb4b93 100644 --- a/windows/keep-secure/bitlocker-frequently-asked-questions.md +++ b/windows/keep-secure/bitlocker-frequently-asked-questions.md @@ -97,44 +97,13 @@ Yes. Open the **BitLocker Drive Encryption** Control Panel, click **Manage BitLo ### Do I have to decrypt my BitLocker-protected drive to download and install system updates and upgrades? -The following table lists what action you need to take before you perform an upgrade or update installation. +No user action is required for BitLocker in order to apply updates from Microsoft, including [Windows quality updates and feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start). +Users need to suspend BitLocker for Non-Microsoft software updates, such as: + +- Computer manufacturer firmware updates +- TPM firmware updates +- Non-Microsoft application updates that modify boot components - ---- - - - - - - - - - - - - - - - - - - - - - - - - -
    Type of updateAction

    Windows Anytime Upgrade

    Decrypt

    [Feature updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) for Windows 10 (example: Windows 10, version 1703)

    Suspend

    Non-Microsoft software updates, such as:

    -
      -

    • Computer manufacturer firmware updates

      • -

    • TPM firmware updates

      • -

    • Non-Microsoft application updates that modify boot components

      • -

    Suspend

    Software and [quality updates](https://technet.microsoft.com/itpro/windows/manage/waas-quick-start) from Windows Update

    Nothing

    -  > **Note:**  If you have suspended BitLocker, you can resume BitLocker protection after you have installed the upgrade or update. Upon resuming protection, BitLocker will reseal the encryption key to the new values of the measured components that changed as a part of the upgrade or update. If these types of upgrades or updates are applied without suspending BitLocker, your computer will enter recovery mode when restarting and will require a recovery key or password to access the computer.   ## Deployment and administration