From 325928ccd5bb25be77df535b92d58191b2a71d1f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Tue, 15 Aug 2023 17:10:07 -0400
Subject: [PATCH 1/2] Add Enterprise domain controllers
---
.../allow-log-on-locally.md | 19 ++++++++++---------
1 file changed, 10 insertions(+), 9 deletions(-)
diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
index fd5538b2a7..5c246fea41 100644
--- a/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
+++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-locally.md
@@ -1,8 +1,8 @@
---
-title: Allow log on locally - security policy setting
+title: Allow log on locally - security policy setting
description: Describes the best practices, location, values, policy management, and security considerations for the Allow log on locally security policy setting.
ms.assetid: d9e5e1f3-3bff-4da7-a9a2-4bb3e0c79055
-ms.reviewer:
+ms.reviewer:
ms.author: vinpa
ms.prod: windows-client
ms.mktglfcycl: deploy
@@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security
This policy setting determines which users can start an interactive session on the device. Users must have this user right to log on over a Remote Desktop Services session that is running on a Windows-based member device or domain controller.
> **Note:** Users who do not have this right are still able to start a remote interactive session on the device if they have the **Allow logon through Remote Desktop Services** right.
-
+
Constant: SeInteractiveLogonRight
### Possible values
@@ -48,6 +48,7 @@ By default, the members of the following groups have this right on domain contro
- Account Operators
- Administrators
- Backup Operators
+- Enterprise Domain Controllers
- Print Operators
- Server Operators
@@ -62,17 +63,17 @@ Computer Configuration\\Policies\\Windows Settings\\Security Settings\\Local Pol
### Default values
-The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page.
+The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy's property page.
| Server type or GPO | Default value |
| - | - |
| Default Domain Policy| Not Defined |
-| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators |
+| Default Domain Controller Policy | Account Operators
Administrators
Backup Operators
Enterprise Domain Controllers
Print Operators
Server Operators |
| Stand-Alone Server Default Settings| Administrators
Backup Operators
Users |
-| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Print Operators
Server Operators |
+| Domain Controller Effective Default Settings | Account Operators
Administrators
Backup Operators
Enterprise Domain Controllers
Print Operators
Server Operators |
| Member Server Effective Default Settings | Administrators
Backup Operators
Users |
| Client Computer Effective Default Settings | Administrators
Backup Operators
Users |
-
+
## Policy management
Restarting the device is not required to implement this change.
@@ -112,5 +113,5 @@ If you remove these default groups, you could limit the abilities of users who a
## Related topics
- [User Rights Assignment](user-rights-assignment.md)
-
-
+
+
From 80c8bc4e5dc475d4d374adf3e382e8649a7dac55 Mon Sep 17 00:00:00 2001
From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com>
Date: Wed, 16 Aug 2023 07:18:42 -0400
Subject: [PATCH 2/2] removed licensing info
---
.../design/microsoft-recommended-driver-block-rules.md | 2 --
1 file changed, 2 deletions(-)
diff --git a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
index 24f07d7ca7..a190d84898 100644
--- a/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/application-security/application-control/windows-defender-application-control/design/microsoft-recommended-driver-block-rules.md
@@ -41,8 +41,6 @@ The blocklist is updated with each new major release of Windows, typically 1-2 t
Customers who always want the most up-to-date driver blocklist can also use Windows Defender Application Control (WDAC) to apply the latest recommended driver blocklist contained in this article. For your convenience, we've provided a download of the most up-to-date vulnerable driver blocklist along with instructions to apply it on your computer at the end of this article. Otherwise, you can use the XML provided below to create your own custom WDAC policies.
-[!INCLUDE [microsoft-vulnerable-driver-blocklist](../../../../../../includes/licensing/microsoft-vulnerable-driver-blocklist.md)]
-
## Blocking vulnerable drivers using WDAC
Microsoft recommends enabling [HVCI](../../../../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) or S mode to protect your devices against security threats. If this setting isn't possible, Microsoft recommends blocking [this list of drivers](#vulnerable-driver-blocklist-xml) within your existing Windows Defender Application Control policy. Blocking kernel drivers without sufficient testing can cause devices or software to malfunction, and in rare cases, blue screen. It's recommended to first validate this policy in [audit mode](/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies) and review the audit block events.