deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

resolved conflicts

Browse Source
This commit is contained in:
Paolo Matarazzo 2023-05-24 16:42:58 -04:00
commit c97fbd8ea8
187 changed files with 1918 additions and 892 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

627
.openpublishing.redirection.json
View File

@ -20814,6 +20814,631 @@
"source_path": "windows/security/information-protection/index.md",
"redirect_url": "/windows/security/encryption-data-protection",
"redirect_document_id": false
}
},
{
"source_path": "windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-authentication.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-conditional-access.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-conditional-access",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-connection-type.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-connection-type",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-guide.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-name-resolution.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-name-resolution",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-office-365-optimization.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-profile-options.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-profile-options",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-routing.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-routing",
"redirect_document_id": false
},
{
"source_path": "windows/security/identity-protection/vpn/vpn-security-features.md",
"redirect_url": "/windows/security/operating-system-security/network-security/vpn/vpn-security-features",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/best-practices-configuring.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/boundary-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/boundary-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-authentication-methods.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/documenting-the-zones.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/encryption-zone.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/encryption-zone",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/exemption-list.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/exemption-list",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/filter-origin-documentation.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/filter-origin-documentation",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/firewall-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/firewall-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/firewall-policy-design-example",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/firewall-settings-lost-on-upgrade.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/firewall-settings-lost-on-upgrade",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-active-directory-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-current-network-infrastructure",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gathering-information-about-your-devices.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gathering-information-about-your-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gathering-other-relevant-information.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gathering-other-relevant-information",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gathering-the-information-you-need.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gathering-the-information-you-need",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gpo-domiso-boundary.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-boundary",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gpo-domiso-encryption.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-encryption",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gpo-domiso-firewall.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-clients",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/gpo-domiso-isolateddomain-servers",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/isolated-domain-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/isolated-domain.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/isolated-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/isolating-apps-on-your-network.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/isolating-apps-on-your-network",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/link-the-gpo-to-the-domain.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/link-the-gpo-to-the-domain",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-ip-security-policies",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/open-windows-firewall-with-advanced-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-certificate-based-authentication.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-certificate-based-authentication",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-domain-isolation-zones.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-domain-isolation-zones",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-gpo-deployment.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-gpo-deployment",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-group-policy-deployment-for-your-isolation-zones",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-isolation-groups-for-the-zones.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-isolation-groups-for-the-zones",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-network-access-groups.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-network-access-groups",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-server-isolation-zones.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-server-isolation-zones",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-settings-for-a-basic-firewall-policy",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-the-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-the-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/planning-your-windows-firewall-with-advanced-security-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/protect-devices-from-unwanted-network-traffic.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/protect-devices-from-unwanted-network-traffic",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/quarantine.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/quarantine",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/require-encryption-when-accessing-sensitive-network-resources",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-specified-users-or-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/restrict-access-to-only-trusted-devices",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/restrict-server-access-to-members-of-a-group-only",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/server-isolation-gpos.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-gpos",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design-example",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/server-isolation-policy-design",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/troubleshooting-uwp-firewall.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/troubleshooting-uwp-firewall",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/verify-that-network-traffic-is-authenticated",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-deployment-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security-design-guide",
"redirect_document_id": false
},
{
"source_path": "windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security.md",
"redirect_url": "/windows/security/operating-system-security/network-security/windows-firewall/windows-firewall-with-advanced-security",
"redirect_document_id": false
}
]
}

115
education/windows/federated-sign-in.md
View File

@ -1,7 +1,7 @@
---
title: Configure federated sign-in for Windows devices
description: Description of federated sign-in feature for the Education SKUs of Windows 11 and how to configure it via Intune or provisioning packages.
ms.date: 04/24/2023
ms.date: 05/01/2023
ms.topic: how-to
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
@ -35,36 +35,45 @@ To implement federated sign-in, the following prerequisites must be met:
- For a step-by-step guide on how to configure **Google Workspace** as an identity provider for Azure AD, see [Configure federation between Google Workspace and Azure AD](configure-aad-google-trust.md)
- For a step-by-step guide on how to configure **Clever** as an identity provider for Azure AD, see [Setup guide for Badges into Windows and Azure AD][EXT-1]
1. Individual IdP accounts created: each user will require an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user will require a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
1. Individual IdP accounts created: each user requires an account defined in the third-party IdP platform
1. Individual Azure AD accounts created: each user requires a matching account defined in Azure AD. These accounts are commonly created through automated solutions, for example:
- [School Data Sync (SDS)][SDS-1]
- [Azure AD Connect sync][AZ-3] for environment with on-premises AD DS
- PowerShell scripts that call the [Microsoft Graph API][GRAPH-1]
- provisioning tools offered by the IdP
For more information about identity matching, see [Identity matching in Azure AD](#identity-matching-in-azure-ad).
1. Licenses assigned to the Azure AD user accounts. It's recommended to assign licenses to a dynamic group: when new users are provisioned in Azure AD, the licenses are automatically assigned. For more information, see [Assign licenses to users by group membership in Azure Active Directory][AZ-2]
1. Enable federated sign-in on the Windows devices
To use federated sign-in, the devices must have Internet access. This feature won't work without it, as the authentication is done over the Internet.
To use federated sign-in, the devices must have Internet access. This feature doesn't work without it, as the authentication is done over the Internet.
> [!IMPORTANT]
> WS-Fed is the only supported federated protocol to join a device to Azure AD. If you have a SAML 2.0 IdP, it's recommended to complete the Azure AD join process using one of the following methods:
> - provisioning packages (PPKG)
> - Provisioning packages (PPKG)
> - Windows Autopilot self-deploying mode
[!INCLUDE [federated-sign-in](../../includes/licensing/federated-sign-in.md)]
## System requirements
Federated sign-in is supported on the following Windows editions and versions:
Federated sign-in for student assigned (1:1) devices is supported on the following Windows editions and versions:
- Windows 11 SE, version 22H2 and later
- Windows 11 Pro Edu/Education, version 22H2 with [KB5022913][KB-1]
Federated sign-in for shared devices is supported starting in Windows 11 SE/Pro Edu/Education, version 22H2 with [KB5026446][KB-2].
## Configure federated sign-in
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Follow the instructions below to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
You can configure federated sign-in for student assigned (1:1) devices or student shared devices:
- When federated sign-in is configured for **student assigned (1:1) devices**, the first user who signs in to the device with a federated identity becomes the *primary user*. The primary user is always displayed in the bottom left corner of the sign-in screen
- When federated sign-in is configured for **student shared devices**, there's no primary user. The sign-in screen displays, by default, the last user who signed in to the device
The configuration is different for each scenario, and is described in the following sections.
### Configure federated sign-in for student assigned (1:1) devices
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
@ -74,9 +83,9 @@ To configure federated sign-in using Microsoft Intune, [create a custom profile]
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-intune.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-intune.png" border="true":::
@ -90,14 +99,54 @@ To configure federated sign-in using a provisioning package, use the following s
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`FederatedAuthentication/EnableWebSignInForPrimaryUser`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
:::image type="content" source="images/federated-sign-in-settings-ppkg.png" alt-text="Custom policy showing the settings to be configured to enable federated sign-in" lightbox="images/federated-sign-in-settings-ppkg.png" border="true":::
Apply the provisioning package to the devices that require federated sign-in.
Apply the provisioning package to the single-user devices that require federated sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
---
### Configure federated sign-in for student shared devices
To use web sign-in with a federated identity provider, your devices must be configured with different policies. Review the following instructions to configure your shared devices using either Microsoft Intune or a provisioning package (PPKG).
#### [:::image type="icon" source="images/icons/intune.svg"::: **Intune**](#tab/intune)
To configure federated sign-in using Microsoft Intune, [create a custom profile][MEM-1] with the following settings:
[!INCLUDE [intune-custom-settings-1](includes/intune-custom-settings-1.md)]
| Setting |
|--------|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Education/IsEducationEnvironment`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Data type: **Boolean** </li><li>Value: **True**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/EnableWebSignIn`** </li><li>Data type: **Integer** </li><li>Value: **1**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Data type: **String** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> OMA-URI: **`./Vendor/MSFT/Policy/Config/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Data type: **String** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
[!INCLUDE [intune-custom-settings-2](includes/intune-custom-settings-2.md)]
[!INCLUDE [intune-custom-settings-info](includes/intune-custom-settings-info.md)]
#### [:::image type="icon" source="images/icons/provisioning-package.svg"::: **PPKG**](#tab/ppkg)
To configure federated sign-in using a provisioning package, use the following settings:
| Setting |
|--------|
| <li> Path: **`Education/IsEducationEnvironment`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`SharedPC/EnableSharedPCModeWithOneDriveSync`** </li><li>Value: **True**</li>|
| <li> Path: **`Policies/Authentication/EnableWebSignIn`** </li><li>Value: **Enabled**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebSignInAllowedUrls`** </li><li>Value: Semicolon separated list of domains, for example: **`samlidp.clever.com;clever.com;mobile-redirector.clever.com`**</li>|
| <li> Path: **`Policies/Authentication/ConfigureWebCamAccessDomainNames`** </li><li>Value: This setting is optional, and it should be configured if you need to use the webcam during the sign-in process. Specify the list of domains that are allowed to use the webcam during the sign-in process, separated by a semicolon. For example: **`clever.com`**</li>|
Apply the provisioning package to the shared devices that require federated sign-in.
> [!IMPORTANT]
> There was an issue affecting Windows 11, version 22H2 when using provisioning packages during OOBE. The issue was fixed with the KB5020044 update. If you plan to configure federated sign-in with a provisioning package during OOBE, ensure that the devices have the update installed. For more information, see [KB5020044][KB-1].
@ -108,20 +157,41 @@ Apply the provisioning package to the devices that require federated sign-in.
Once the devices are configured, a new sign-in experience becomes available.
As the end users enter their username, they'll be redirected to the identity provider sign-in page. Once users are authenticated by the IdP, they'll be signed-in. In the following animation, you can see how the first sign-in process works:
As users enter their username, they're redirected to the identity provider sign-in page. Once the Idp authenticates the users, they're signed-in. In the following animation, you can observe how the first sign-in process works for a student assigned (1:1) device:
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge." border="false":::
:::image type="content" source="./images/win-11-se-federated-sign-in.gif" alt-text="Windows 11 SE sign-in using federated sign-in through Clever and QR code badge, in a student assigned (1:1) device." border="false":::
> [!IMPORTANT]
> Once the policy is enabled, the first user to sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
> For student assigned (1:1) devices, once the policy is enabled, the first user who sign-in to the device will also set the disambiguation page to the identity provider domain on the device. This means that the device will be defaulting to that IdP. The user can exit the federated sign-in flow by pressing <kbd>Ctrl</kbd>+<kbd>Alt</kbd>+<kbd>Delete</kbd> to get back to the standard Windows sign-in screen.
> The behavior is different for student shared devices, where the disambiguation page is always shown, unless preferred Azure AD tenant name is configured.
## Important considerations
Federated sign-in doesn't work on devices that have the following settings enabled:
### Known issues affecting student assigned (1:1) devices
- **EnableSharedPCMode**, which is part of the [SharedPC CSP][WIN-1]
Federated sign-in for student assigned (1:1) devices doesn't work with the following settings enabled:
- **EnableSharedPCMode** or **EnableSharedPCModeWithOneDriveSync**, which are part of the [SharedPC CSP][WIN-1]
- **Interactive logon: do not display last signed in**, which is a security policy part of the [Policy CSP][WIN-2]
- **Take a Test**, since it uses the security policy above
- **Take a Test** in kiosk mode, since it uses the security policy above
### Known issues affecting student shared devices
The following issues are known to affect student shared devices:
- Non-federated users can't sign-in to the devices, including local accounts
- **Take a Test** in kiosk mode, since it uses a local guest account to sign in
### Account management
For student shared devices, it's recommended to configure the account management policies to automatically delete the user profiles after a certain period of inactivity or disk levels. For more information, see [Set up a shared or guest Windows device][WIN-3].
### Preferred Azure AD tenant name
To improve the user experience, you can configure the *preferred Azure AD tenant name* feature.\
When using preferred AAD tenant name, the users bypass the disambiguation page and are redirected to the identity provider sign-in page. This configuration can be especially useful for student shared devices, where the disambiguation page is always shown.
For more information about preferred tenant name, see [Authentication CSP - PreferredAadTenantDomainName][WIN-4].
### Identity matching in Azure AD
@ -131,7 +201,7 @@ After the token sent by the IdP is validated, Azure AD searches for a matching u
> [!NOTE]
> The ImmutableId is a string value that **must be unique** for each user in the tenant, and it shouldn't change over time. For example, the ImmutableId could be the student ID or SIS ID. The ImmutableId value should be based on the federation setup and configuration with your IdP, so confirm with your IdP before setting it.
If the matching object is found, the user is signed-in. If not, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
If the matching object is found, the user is signed-in. Otherwise, the user is presented with an error message. The following picture shows that a user with the ImmutableId *260051* can't be found:
:::image type="content" source="images/federation/user-match-lookup-failure.png" alt-text="Azure AD sign-in error: a user with a matching ImmutableId can't be found in the tenant." lightbox="images/federation/user-match-lookup-failure.png":::
@ -182,6 +252,9 @@ Update-MgUser -UserId alton@example.onmicrosoft.com -UserPrincipalName alton@exa
[SDS-1]: /schooldatasync
[KB-1]: https://support.microsoft.com/kb/5022913
[KB-2]: https://support.microsoft.com/kb/5026446
[WIN-1]: /windows/client-management/mdm/sharedpc-csp
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
[WIN-2]: /windows/client-management/mdm/policy-csp-localpoliciessecurityoptions#localpoliciessecurityoptions-interactivelogon-donotdisplaylastsignedin
[WIN-3]: /windows/configuration/set-up-shared-or-guest-pc
[WIN-4]: /windows/client-management/mdm/policy-csp-authentication#preferredaadtenantdomainname

104
windows/client-management/mdm/assignedaccess-csp.md
View File

@ -72,6 +72,8 @@ In **Windows 10, version 1803** the Configuration node introduces single app kio
In **Windows 10, version 1909**, Microsoft Edge kiosk mode support was added. This allows Microsoft Edge to be the specified kiosk application. For details about configuring Microsoft Edge kiosk mode, see [Configure a Windows 10 kiosk that runs Microsoft Edge](/DeployEdge/microsoft-edge-configure-kiosk-mode). Windows 10, version 1909 also allows for configuration of the breakout sequence. The breakout sequence specifies the keyboard shortcut that returns a kiosk session to the lock screen. The breakout sequence is defined with the format modifiers + keys. An example breakout sequence would look something like `shift+alt+a`, where `shift` and `alt` are the modifiers and `a` is the key.
In **Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446)**, AssignedAccessConfiguration schema was updated to add StartPins and TaskbarLayout nodes to support pinning apps to the Start Menu and Taskbar respectively.
- For more information about setting up a multi-app kiosk, see [Create a Windows 10 kiosk that runs multiple apps](/windows/configuration/lock-down-windows-10-to-specific-apps).
- For more information on the schema, see [AssignedAccessConfiguration XSD](#assignedaccessconfiguration-xsd).
- For examples, see [AssignedAccessConfiguration examples](#assignedaccessconfiguration-examples).
@ -175,7 +177,7 @@ This node supports Add, Delete, Replace and Get methods. When there's no configu
> [!IMPORTANT]
>
> - In Windows 10, version 1803, the Configuration node introduces single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in config xml for Configuration node to configure public-facing single app Kiosk.
> - In Windows 10, version 1803, the Configuration node introduced single app kiosk profile to replace KioskModeApp CSP node. KioskModeApp node will be deprecated soon, so you should use the single app kiosk profile in configuration xml for Configuration node to configure public-facing single app Kiosk.
> - Additionally, starting in Windows 10, version 1803, the KioskModeApp node becomes No-Op if Configuration node is configured on the device. Add/Replace/Delete commands on KioskModeApp node always returns SUCCESS to the MDM server if Configuration node is set, but the data of KioskModeApp will not take any effect on the device. Get command on KioskModeApp will return the configured JSON string even it's not effective.
> - You can't set both KioskModeApp and ShellLauncher at the same time on the device.
<!-- Device-KioskModeApp-Editable-End -->
@ -1043,6 +1045,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v4="http://schemas.microsoft.com/AssignedAccess/2021/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config"
targetNamespace="http://schemas.microsoft.com/AssignedAccess/2017/config"
>
@ -1072,7 +1075,9 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
<xs:element name="AllAppsList" type="allappslist_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="rs5:FileExplorerNamespaceRestrictions" minOccurs="0" maxOccurs="1"/>
<xs:element name="StartLayout" type="xs:string" minOccurs="0" maxOccurs="1"/>
<xs:element ref="v5:StartPins" minOccurs="0" maxOccurs="1"/>
<xs:element name="Taskbar" type="taskbar_t" minOccurs="1" maxOccurs="1"/>
<xs:element ref="v5:TaskbarLayout" minOccurs="0" maxOccurs="1"/>
</xs:sequence>
<xs:sequence minOccurs="1" maxOccurs="1">
<xs:element name="KioskModeApp" type="kioskmodeapp_t" minOccurs="1" maxOccurs="1">
@ -1229,7 +1234,7 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
</xs:schema>);
```
- Schema for features introduced in Windows 10, version 1909 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
- Schema for features introduced in Windows 10, version 1809 which added support for Microsoft Edge kiosk mode and breakout key sequence customization.
```xml
<?xml version="1.0" encoding="utf-8"?>
@ -1351,6 +1356,101 @@ By default, the StatusConfiguration node doesn't exist, and it implies this feat
> </AssignedAccessConfiguration>
> ```
- Example XML configuration for a multi-app kiosk for Windows 11, version 22H2 with [KB5026446](https://support.microsoft.com/kb/5026446).
> [!NOTE]
> This example demonstrates the use of StartPins and TaskbarLayout elements. For more information, see [Set up a multi-app kiosk on Windows 11 devices](/windows/configuration/lock-down-windows-11-to-specific-apps).
>
> - StartPins element is used to pin apps to the Start menu and uses the [pinnedList JSON](/windows/configuration/customize-start-menu-layout-windows-11#get-the-pinnedlist-json) format.
> - TaskbarLayout element is used to pin apps to the taskbar and uses the [TaskbarLayoutModification XML](/windows/configuration/customize-taskbar-windows-11#create-the-xml-file) format.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
xmlns:v2="http://schemas.microsoft.com/AssignedAccess/201810/config"
xmlns:v3="http://schemas.microsoft.com/AssignedAccess/2020/config"
xmlns:v5="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!BCHost" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!ContentProcess" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!F12" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<App AppUserModelId="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!PdfReader" />
<App DesktopAppPath="%SystemRoot%\system32\notepad.exe" />
<App DesktopAppPath="%SystemRoot%\system32\control.exe" />
<App DesktopAppPath="%SystemRoot%\system32\cmd.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge.exe" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\msedge_proxy.exe" />
<App AppUserModelId="Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%ProgramFiles(x86)%\Microsoft\Edge\Application\103.0.1264.62\identity_helper.exe" />
</AllowedApps>
</AllAppsList>
<v2:FileExplorerNamespaceRestrictions>
<v3:NoRestriction />
</v2:FileExplorerNamespaceRestrictions>
<StartLayout>
<![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1"
xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
<LayoutOptions StartTileGroupCellWidth="6" />
<DefaultLayoutOverride>
<StartLayoutCollection>
<defaultlayout:StartLayout GroupCellWidth="6">
<start:Group Name="Life at a glance">
<start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<start:Tile Size="4x2" Column="0" Row="4" AppUserModelID="Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%AppData%\Microsoft\Windows\Start Menu\Programs\Accessories\notepad.lnk" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\cmd.exe" />
<start:DesktopApplicationTile Size="2x2" Column="2" Row="0" DesktopApplicationLinkPath="%SystemRoot%\system32\control.exe" />
</start:Group>
</defaultlayout:StartLayout>
</StartLayoutCollection>
</DefaultLayoutOverride>
</LayoutModificationTemplate>]]>
</StartLayout>
<v5:StartPins>
<![CDATA[{
"pinnedList": [
{ "desktopAppId": "MSEdge" },
{ "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" },
{ "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" },
{ "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" },
{ "desktopAppLink": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\File Explorer.lnk" },
{ "desktopAppLink": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk" }
]
}]]>
</v5:StartPins>
<Taskbar ShowTaskbar="true"/>
<v5:TaskbarLayout>
<![CDATA[<LayoutModificationTemplate xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification"
xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout"
xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout"
xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout" Version="1">
<CustomTaskbarLayoutCollection PinListPlacement="Replace">
<defaultlayout:TaskbarLayout>
<taskbar:TaskbarPinList>
<taskbar:DesktopApp DesktopApplicationID="Microsoft.Windows.Explorer" />
<taskbar:DesktopApp DesktopApplicationLinkPath="%APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk" />
</taskbar:TaskbarPinList>
</defaultlayout:TaskbarLayout>
</CustomTaskbarLayoutCollection>
</LayoutModificationTemplate>]]>
</v5:TaskbarLayout>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{5B328104-BD89-4863-AB27-4ED6EE355485}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
- Example XML configuration for a multi-app kiosk for Windows 10.
```xml

4
windows/configuration/TOC.yml
View File

@ -66,8 +66,10 @@
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk
- name: Set up a multi-app kiosk for Windows 10
href: lock-down-windows-10-to-specific-apps.md
- name: Set up a multi-app kiosk for Windows 11
href: lock-down-windows-11-to-specific-apps.md
- name: Kiosk reference information
items:
- name: More kiosk methods and reference information

383
windows/configuration/lock-down-windows-11-to-specific-apps.md Normal file
View File

@ -0,0 +1,383 @@
---
title: Set up a multi-app kiosk on Windows 11
description: Learn how to configure a kiosk device running Windows 11 so that users can only run a few specific apps.
ms.prod: windows-client
ms.technology: itpro-configure
author: lizgt2000
ms.author: lizlong
ms.date: 05/12/2023
manager: aaroncz
ms.reviewer: sybruckm
ms.localizationpriority: medium
ms.topic: how-to
---
# Set up a multi-app kiosk on Windows 11 devices
**Applies to**
- Windows 11 Pro, Enterprise, and Education
> [!NOTE]
> The use of multiple monitors isn't supported for multi-app kiosk mode.
An assigned access multi-app kiosk runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. A multi-app kiosk is appropriate for devices that are shared by multiple people. Here's a guide on how to set up a multi-app kiosk.
> [!WARNING]
> The assigned access feature is intended for corporate-owned fixed-purpose devices, like kiosks. When the multi-app assigned access configuration is applied on the device, [certain policies](kiosk-policies.md) are enforced system-wide, and will impact other users on the device. Deleting the kiosk configuration will remove the assigned access lockdown profiles associated with the users, but it cannot revert all the enforced policies (such as Start layout). A factory reset is needed to clear all the policies enforced via assigned access.
> [!TIP]
> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
## Configure a Multi-App Kiosk
See the table below for the different methods to configure a multi-app kiosk in Windows 11.
|Configuration Method|Availability|
|--------------------|------------|
|[MDM WMI Bridge Provider](#configure-a-kiosk-using-wmi-bridge) | Available May 2023|
|Intune|Coming soon|
|Provisioning Package Using Windows Configuration Designer| Coming soon|
> [!NOTE]
> For WMI Bridge/PowerShell and Provisioning package methods, you will need to create your own multi-app kiosk XML file as specified below.
## Create the XML file
Let's start by looking at the basic structure of the XML file.
- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
- Multiple config sections can be associated to the same profile.
- A profile has no effect if it's not associated to a config section.
You can start your file by pasting the following XML into an XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this article.
> [!NOTE]
> If you want to write a configuration file to be applied to both Windows 10 and Windows 11 devices, follow the [Windows 10 instructions](lock-down-windows-10-to-specific-apps.md) to add the StartLayout tag to your XML file, just above the StartPins tag. Windows will automatically ignore the sections that don't apply to the version running.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="">
<AllAppsList>
<AllowedApps/>
</AllAppsList>
<win11:StartPins/>
<Taskbar/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account/>
<DefaultProfile Id=""/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```
#### Profile
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile won't see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
- [**Id**](#id)
- [**AllowedApps**](#allowedapps)
- [**StartPins**](#startpins)
- [**Taskbar**](#taskbar)
A kiosk profile in the XML has the following entries:
- [**Id**](#id)
- [**KioskModeApp**](#kioskmodeapp)
##### Id
The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
```xml
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"></Profile>
</Profiles>
```
##### AllowedApps
**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#create-the-xml-file).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of `%variableName%`. For example, `%systemroot%` or `%windir%`.
- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both `"C:\Program Files\internet explorer\iexplore.exe"` and `"C:\Program Files (x86)\Internet Explorer\iexplore.exe"`.
- To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
1. Default rule is to allow all users to launch the signed package apps.
2. The package app blocklist is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the blocklist. This list will exclude the default allowed inbox package apps, which are critical for the system to function. It then excludes the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This blocklist will be used to prevent the user from accessing the apps that are currently available for the user but not in the allowed list.
> [!NOTE]
> You can't manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh994629(v=ws.11)#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
> Multi-app kiosk mode doesn't block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the blocklist. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
Here are the predefined assigned access AppLocker rules for **desktop apps**:
1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
2. There's a predefined inbox desktop app blocklist for the assigned access user account, and this blocklist is adjusted based on the desktop app allowlist that you defined in the multi-app configuration.
3. Enterprise-defined allowed desktop apps are added in the AppLocker allowlist.
The following example allows Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
<span id="apps-sample" />
```xml
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" rs5:AutoLaunch="true" rs5:AutoLaunchArguments="123.txt">
</AllowedApps>
</AllAppsList>
```
##### StartPins
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. Once you've decided, you can get the JSON needed for your kiosk configuration by following the steps to [Get the pinnedList JSON](customize-and-export-start-layout.md). If you opt to do this using the PowerShell command, make sure that the system you run the command on has the same file structure as the device on which you will apply the kiosk (the path to the allowed apps must be the same). At the end of this step, you should have a JSON pinnedList that looks something like the below.
Add your pinnedList JSON into the StartPins tag in your XML file.
```xml
<win11:StartPins>
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"}
] }
]]>
</win11:StartPins>
```
> [!NOTE]
> If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
##### Taskbar
Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don't attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
The following example exposes the taskbar to the end user:
```xml
<Taskbar ShowTaskbar="true"/>
```
The following example hides the taskbar:
```xml
<Taskbar ShowTaskbar="false"/>
```
> [!NOTE]
> This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
##### KioskModeApp
**KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
```xml
<KioskModeApp AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"/>
```
> [!IMPORTANT]
> The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.
#### Configs
Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced. This behavior includes the allowed apps, Start layout, taskbar configuration, and other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
The full multi-app assigned access experience can only work for non-admin users. It's not supported to associate an admin user with the assigned access profile. Making this configuration in the XML file will result in unexpected or unsupported experiences when this admin user signs in.
You can assign:
- [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
- [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
> [!NOTE]
> Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
##### Config for AutoLogon Account
When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
The following example shows how to specify an account to sign in automatically.
```xml
<Configs>
<Config>
<AutoLogonAccount/>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
<Configs>
<Config>
<AutoLogonAccount rs5:DisplayName="Hello World"/>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
>[!IMPORTANT]
>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon).
##### Config for individual accounts
Individual accounts are specified using `<Account>`.
- Local account can be entered as `machinename\account` or `.\account` or just `account`.
- Domain account should be entered as `domain\account`.
- Azure AD account must be specified in this format: `AzureAD\{email address}`. **AzureAD** must be provided _as is_, and consider it's a fixed domain name. Then follow with the Azure AD email address. For example, `AzureAD\someone@contoso.onmicrosoft.com`
> [!WARNING]
> Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
> [!NOTE]
> For both domain and Azure AD accounts, it's not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
```xml
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
```
##### Config for group accounts
Group accounts are specified using `<UserGroup>`. Nested groups aren't supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A won't have the kiosk experience.
- Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group won't have the kiosk settings applied.
```xml
<Config>
<UserGroup Type="LocalGroup" Name="mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
- Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
```xml
<Config>
<UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
- Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign-in.
```xml
<Config>
<UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
```
> [!NOTE]
> If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
<span id="add-xml" />
## Configure a kiosk using WMI Bridge
Environments that use [Windows Management Instrumentation (WMI)](/windows/win32/wmisdk/wmi-start-page) can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the MDM_AssignedAccess class.
Here's an example of how to set AssignedAccess configuration:
1. Download the [psexec tool](/sysinternals/downloads/psexec).
2. Run `psexec.exe -i -s cmd.exe`.
3. In the command prompt launched by psexec.exe, enter `powershell.exe` to open PowerShell.
4. Run the following script replacing the placeholder "your XML here, with the [XML](#create-the-xml-file) you created above.
```xml
$nameSpaceName="root\cimv2\mdm\dmmap"
$className="MDM_AssignedAccess"
$obj = Get-CimInstance -Namespace $namespaceName -ClassName $className
Add-Type -AssemblyName System.Web
$obj.Configuration = [System.Web.HttpUtility]::HtmlEncode(@"
<your XML here>
"@)
Set-CimInstance -CimInstance $obj
```
## Sample Assigned Access XML
Compare the below to your XML file to check for correct formatting.
```xml
<?xml version="1.0" encoding="utf-8" ?>
<AssignedAccessConfiguration
xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config" xmlns:win11="http://schemas.microsoft.com/AssignedAccess/2022/config">
<Profiles>
<Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
<AllAppsList>
<AllowedApps>
<App AppUserModelId="Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic" />
<App AppUserModelId="Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo" />
<App AppUserModelId="Microsoft.Windows.Photos_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.BingWeather_8wekyb3d8bbwe!App" />
<App AppUserModelId="Microsoft.WindowsCalculator_8wekyb3d8bbwe!App" />
<App DesktopAppPath="%windir%\system32\mspaint.exe" />
<App DesktopAppPath="C:\Windows\System32\notepad.exe" />
</AllowedApps>
</AllAppsList>
<win11:StartPins>
<![CDATA[
{ "pinnedList":[
{"packagedAppId":"Microsoft.WindowsCalculator_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App"},
{"packagedAppId":"Microsoft.ZuneMusic_8wekyb3d8bbwe!Microsoft.ZuneMusic"},
{"packagedAppId":"Microsoft.ZuneVideo_8wekyb3d8bbwe!Microsoft.ZuneVideo"},
{"packagedAppId":"Microsoft.BingWeather_8wekyb3d8bbwe!App"},
{"desktopAppLink":"%ALLUSERSPROFILE%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Paint.lnk"},
{"desktopAppLink":"%APPDATA%\\Microsoft\\Windows\\StartMenu\\Programs\\Accessories\\Notepad.lnk"}
] }
]]>
</win11:StartPins>
<Taskbar ShowTaskbar="true"/>
</Profile>
</Profiles>
<Configs>
<Config>
<Account>MultiAppKioskUser</Account>
<DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
</Config>
</Configs>
</AssignedAccessConfiguration>
```

19
windows/security/docfx.json
View File

@ -71,11 +71,13 @@
"fileMetadata": {
"author":{
"identity-protection/**/*.md": "paolomatarazzo",
"threat-protection/windows-firewall/**/*.md": "aczechowski"
"operating-system-security/network-security/**/*.md": "paolomatarazzo",
"operating-system-security/network-security/windows-firewall/**/*.md": "ngangulyms"
},
"ms.author":{
"identity-protection/**/*.md": "paoloma",
"threat-protection/windows-firewall/*.md": "aaroncz"
"operating-system-security/network-security/**/*.md": "paoloma",
"operating-system-security/network-security/windows-firewall/*.md": "nganguly"
},
"appliesto":{
"identity-protection/**/*.md": [
@ -109,14 +111,21 @@
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
],
"operating-system-security/network-security/windows-firewall/**/*.md": [
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 11</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/supported-versions-windows-client\" target=\"_blank\">Windows 10</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2022</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2019</a>",
"✅ <a href=\"https://learn.microsoft.com/windows/release-health/windows-server-release-info\" target=\"_blank\">Windows Server 2016</a>"
]
},
"ms.reviewer":{
"identity-protection/hello-for-business/*.md": "erikdau",
"identity-protection/credential-guard/*.md": "zwhittington",
"identity-protection/access-control/*.md": "sulahiri",
"threat-protection/windows-firewall/*.md": "paoloma",
"identity-protection/vpn/*.md": "pesmith"
"operating-system-security/network-security/windows-firewall/*.md": "paoloma",
"operating-system-security/network-security/vpn/*.md": "pesmith"
},
"ms.collection":{
"identity-protection/hello-for-business/*.md": "tier1",
@ -126,7 +135,7 @@
"information-protection/tpm/*.md": "tier1",
"threat-protection/auditing/*.md": "tier3",
"threat-protection/windows-defender-application-control/*.md": "tier3",
"threat-protection/windows-firewall/*.md": "tier3"
"operating-system-security/network-security/windows-firewall/*.md": "tier3"
}
},
"template": [],

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -207,7 +207,7 @@ sections:
questions:
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
answer: |
Yes. Starting with Windows 10, version 21H1 an external Windows Hello compatible camera can be used if a device already supports an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). However, using external Hello cameras and accessories is restricted if ESS is enabled, please see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security#pluggableperipheral-biometric-sensors).
Yes, you can use an external Windows Hello compatible camera if a device has an internal Windows Hello camera. When both cameras are present, the external camera is used for face authentication. For more information, see [IT tools to support Windows 10, version 21H1](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/it-tools-to-support-windows-10-version-21h1/ba-p/2365103). If ESS is enabled, see [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security).
- question: Can I use an external Windows Hello compatible camera or other Windows Hello compatible accessory when my laptop lid is closed or docked?
answer: |
Some laptops and tablets with keyboards that close may not use an external Windows Hello compatible camera or other Windows Hello compatible accessory when the computer is docked with the lid closed. The issue has been addressed in Windows 11, version 22H2.

17
windows/security/identity-protection/user-account-control/user-account-control-overview.md
View File

@ -1,14 +1,14 @@
---
title: User Account Control
description: User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop.
title: User Account Control overview
description: Learn about User Account Control (UAC) and how it helps preventing malware from damaging a device and helps organizations deploy a better-managed desktop.
ms.collection:
- highpri
- tier2
ms.topic: article
ms.date: 09/24/2011
ms.topic: conceptual
ms.date: 05/18/2023
---
# User Account Control
# User Account Control overview
User Account Control (UAC) helps prevent malware from damaging a PC and helps organizations deploy a better-managed desktop. With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system. UAC can block the automatic installation of unauthorized apps and prevent inadvertent changes to system settings.
@ -24,14 +24,13 @@ When an app needs to run with more than standard user rights, UAC allows users t
Admin Approval Mode in UAC helps prevent malware from silently installing without an administrator's knowledge. It also helps protect from inadvertent system-wide changes. Lastly, it can be used to enforce a higher level of compliance where administrators must actively consent or provide credentials for each administrative process.
## Next steps
## In this section
Learn more about UAC and how to configure it for your organization.
| Topic | Description |
| - | - |
| [How User Account Control works](how-user-account-control-works.md) | User Account Control (UAC) is a fundamental component of Microsoft's overall security vision. UAC helps mitigate the impact of malware. |
| [User Account Control security policy settings](user-account-control-security-policy-settings.md) | You can use security policies to configure how User Account Control works in your organization. They can be configured locally by using the Local Security Policy snap-in (secpol.msc) or configured for the domain, OU, or specific groups by Group Policy. |
| [User Account Control Group Policy and registry key settings](user-account-control-group-policy-and-registry-key-settings.md) | Here's a list of UAC Group Policy and registry key settings that your organization can use to manage UAC. |

BIN
windows/security/identity-protection/vpn/images/vpn-app-rules.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 21 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-app-trigger.PNG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 23 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-connection-intune.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 55 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-eap-xml.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 11 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-name-intune.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-split-route.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-split.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
windows/security/identity-protection/vpn/images/vpn-traffic-rules.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

59
windows/security/identity-protection/vpn/vpn-routing.md
View File

@ -1,59 +0,0 @@
---
ms.date: 09/23/2021
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual
---
# VPN routing decisions
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). This decision impacts the configuration and the capacity planning, as well as security expectations from the connection.
## Split tunnel configuration
In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
Routes can be configured using the VPNv2/*ProfileName*/RouteList setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
For each route item in the list, the following can be specified:
- **Address**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Address
- **Prefix size**: VPNv2/*ProfileName*/RouteList/*routeRowId*/Prefix
- **Exclusion route**: VPNv2/*ProfileName*/RouteList/*routeRowId*/ExclusionRoute
Windows VPN platform now supports the ability to specify exclusion routes that specifically should not go over the physical interface.
Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration
In a force tunnel configuration, all traffic will go over VPN. This is the default configuration and takes effect if no routes are specified.
The only implication of this setting is the manipulation of routing entries. In the case of a force tunnel, VPN V4 and V6 default routes (for example. 0.0.0.0/0) are added to the routing table with a lower metric than ones for other interfaces. This sends traffic through the VPN as long as there isn't a specific route on the physical interface itself.
For built-in VPN, this decision is controlled using the MDM setting **VPNv2/ProfileName/NativeProfile/RoutingPolicyType**.
For a UWP VPN plug-in, this property is directly controlled by the app. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled.
## Configure routing
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
![split tunnel.](images/vpn-split.png)
Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.
![add route for split tunnel.](images/vpn-split-route.png)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

84
windows/security/identity-protection/vpn/vpn-security-features.md
View File

@ -1,84 +0,0 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters.
ms.date: 07/21/2022
ms.topic: conceptual
---
# VPN security features
## Hyper-V based containers and VPN
Windows supports different kinds of Hyper-V based containers. This support includes, but isn't limited to, Microsoft Defender Application Guard and Windows Sandbox. When you use 3rd party VPN solutions, these Hyper-V based containers may not be able to seamlessly connect to the internet. Additional configurational changes might be needed to resolve connectivity issues.
For example, for more information on a workaround for Cisco AnyConnect VPN, see [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f).
## Windows Information Protection (WIP) integration with VPN
Windows Information Protection provides capabilities allowing the separation and protection of enterprise data against disclosure across both company and personally owned devices, without requiring additional changes to the environments or the apps themselves. Additionally, when used with Rights Management Services (RMS), WIP can help to protect enterprise data locally.
The **EdpModeId** node in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) allows a Windows 10 or Windows 11 VPN client to integrate with WIP, extending its functionality to remote devices. Use case scenarios for WIP include:
- Core functionality: File encryption and file access blocking
- UX policy enforcement: Restricting copy/paste, drag/drop, and sharing operations
- WIP network policy enforcement: Protecting intranet resources over the corporate network and VPN
- Network policy enforcement: Protecting SMB and Internet cloud resources over the corporate network and VPN
The value of the **EdpModeId** is an Enterprise ID. The networking stack will look for this ID in the app token to determine whether VPN should be triggered for that particular app.
Additionally, when connecting with WIP, the admin does not have to specify AppTriggerList and TrafficFilterList rules separately in this profile (unless more advanced configuration is needed) because the WIP policies and App lists automatically take effect.
[Learn more about Windows Information Protection](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip)
## Traffic Filters
Traffic Filters give enterprises the ability to decide what traffic is allowed into the corporate network based on policy. Network admins can use Traffic Filters to effectively add interface specific firewall rules on the VPN Interface. There are two types of Traffic Filter rules:
- App-based rules. With app-based rules, a list of applications can be marked to allow only traffic originating from these apps to go over the VPN interface.
- Traffic-based rules. Traffic-based rules are 5-tuple policies (ports, addresses, protocol) that can be specified to allow only traffic matching these rules to go over the VPN interface.
There can be many sets of rules which are linked by OR. Within each set, there can be app-based rules and traffic-based rules; all the properties within the set will be linked by AND. In addition, these rules can be applied at a per-app level or a per-device level.
For example, an admin could define rules that specify:
- The Contoso HR App must be allowed to go through the VPN and only access port 4545.
- The Contoso finance apps are allowed to go over the VPN and only access the Remote IP ranges of 10.10.0.40 - 10.10.0.201 on port 5889.
- All other apps on the device should be able to access only ports 80 or 443.
## Configure traffic filters
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
![Add a traffic rule.](images/vpn-traffic-rules.png)
## LockDown VPN
A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
- The system attempts to keep the VPN connected at all times.
- The user cannot disconnect the VPN connection.
- The user cannot delete or modify the VPN profile.
- The VPN LockDown profile uses forced tunnel connection.
- If the VPN connection is not available, outbound network traffic is blocked.
- Only one VPN LockDown profile is allowed on a device.
> [!NOTE]
> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
Deploy this feature with caution, as the resultant connection will not be able to send or receive any network traffic without the VPN being connected.
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)

55
windows/security/operating-system-security/network-security/toc.yml
View File

@ -1,40 +1,17 @@
items:
- name: Transport layer security (TLS)
href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
- name: WiFi Security
href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
- name: Windows Firewall
href: ../../threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
- name: Virtual Private Network (VPN)
href: ../../identity-protection/vpn/vpn-guide.md
items:
- name: VPN connection types
href: ../../identity-protection/vpn/vpn-connection-type.md
- name: VPN routing decisions
href: ../../identity-protection/vpn/vpn-routing.md
- name: VPN authentication options
href: ../../identity-protection/vpn/vpn-authentication.md
- name: VPN and conditional access
href: ../../identity-protection/vpn/vpn-conditional-access.md
- name: VPN name resolution
href: ../../identity-protection/vpn/vpn-name-resolution.md
- name: VPN auto-triggered profile options
href: ../../identity-protection/vpn/vpn-auto-trigger-profile.md
- name: VPN security features
href: ../../identity-protection/vpn/vpn-security-features.md
- name: VPN profile options
href: ../../identity-protection/vpn/vpn-profile-options.md
- name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
href: ../../identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
- name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
href: ../../identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- name: Optimizing Office 365 traffic with the Windows VPN client
href: ../../identity-protection/vpn/vpn-office-365-optimization.md
- name: Always On VPN
href: /windows-server/remote/remote-access/vpn/always-on-vpn/
- name: Direct Access
href: /windows-server/remote/remote-access/directaccess/directaccess
- name: Server Message Block (SMB) file service
href: /windows-server/storage/file-server/file-server-smb-overview
- name: Server Message Block Direct (SMB Direct)
href: /windows-server/storage/file-server/smb-direct
- name: Transport layer security (TLS) 🔗
href: /windows-server/security/tls/tls-ssl-schannel-ssp-overview
- name: WiFi Security
href: https://support.microsoft.com/windows/faster-and-more-secure-wi-fi-in-windows-26177a28-38ed-1a8e-7eca-66f24dc63f09
- name: Windows Firewall 🔗
href: windows-firewall/windows-firewall-with-advanced-security.md
- name: Virtual Private Network (VPN)
href: vpn/toc.yml
- name: Always On VPN 🔗
href: /windows-server/remote/remote-access/vpn/always-on-vpn/
- name: Direct Access 🔗
href: /windows-server/remote/remote-access/directaccess/directaccess
- name: Server Message Block (SMB) file service 🔗
href: /windows-server/storage/file-server/file-server-smb-overview
- name: Server Message Block Direct (SMB Direct) 🔗
href: /windows-server/storage/file-server/smb-direct

0
windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md → windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

0
windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md → windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-app-trigger.PNG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 228 KiB

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-connection-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 176 KiB

0
windows/security/identity-protection/vpn/images/vpn-connection.png → windows/security/operating-system-security/network-security/vpn/images/vpn-connection.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 94 KiB

After

Width:  |  Height:  |  Size: 94 KiB

0
windows/security/identity-protection/vpn/images/vpn-custom-xml-intune.png → windows/security/operating-system-security/network-security/vpn/images/vpn-custom-xml-intune.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 12 KiB

After

Width:  |  Height:  |  Size: 12 KiB

0
windows/security/identity-protection/vpn/images/vpn-device-compliance.png → windows/security/operating-system-security/network-security/vpn/images/vpn-device-compliance.png
View File

Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 82 KiB

After

Width:  |  Height:  |  Size: 82 KiB

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-eap-xml.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 200 KiB

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-name-intune.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 254 KiB

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-split.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 KiB

BIN
windows/security/operating-system-security/network-security/vpn/images/vpn-traffic-rules.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 315 KiB

25
windows/security/operating-system-security/network-security/vpn/toc.yml Normal file
View File

@ -0,0 +1,25 @@
items:
- name: Overview
href: vpn-guide.md
- name: VPN connection types
href: vpn-connection-type.md
- name: VPN routing decisions
href: vpn-routing.md
- name: VPN authentication options
href: vpn-authentication.md
- name: VPN and conditional access
href: vpn-conditional-access.md
- name: VPN name resolution
href: vpn-name-resolution.md
- name: VPN auto-triggered profile options
href: vpn-auto-trigger-profile.md
- name: VPN security features
href: vpn-security-features.md
- name: VPN profile options
href: vpn-profile-options.md
- name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
href: how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
- name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
href: how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- name: Optimizing Office 365 traffic with the Windows VPN client
href: vpn-office-365-optimization.md

2
windows/security/identity-protection/vpn/vpn-authentication.md → windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -74,7 +74,7 @@ For a UWP VPN plug-in, the app vendor controls the authentication method to be u
See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EAP XML configuration.
>[!NOTE]
>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../hello-for-business/hello-identity-verification.md)
>To configure Windows Hello for Business authentication, follow the steps in [EAP configuration](/windows/client-management/mdm/eap-configuration) to create a smart card certificate. [Learn more about Windows Hello for Business.](../../../identity-protection/hello-for-business/hello-identity-verification.md).
The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).

90
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md Normal file
View File

@ -0,0 +1,90 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/24/2023
ms.topic: conceptual
---
# VPN auto-triggered profile options
Windows can use different features to auto-trigger VPN, avoiding users to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- Application trigger
- Name-based trigger
- Always On
> [!NOTE]
> Auto-triggered VPN connections won't work if **Folder Redirection** for **AppData** is enabled. Either Folder Redirection for AppData must be disabled, or the auto-triggered VPN profile must be deployed in SYSTEM context, which changes the path to where the *rasphone.pbk* file is stored.
## Application trigger
VPN profiles can be configured to automatically connect on the execution of certain applications:
- You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection
- You can configure per-app VPN and specify traffic rules for each app
> [!NOTE]
> The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
>
> [Find a package family name (PFN) for per-app VPN configuration](/mem/configmgr/protect/deploy-use/find-a-pfn-for-per-app-vpn)
For more information, see [Traffic filters](vpn-security-features.md#traffic-filters).
## Name-based trigger
You can configure a domain name-based rule so that a specific domain name triggers the VPN connection.\
Name-based auto-trigger can be configured using the `VPNv2/<ProfileName>/DomainNameInformationList/dniRowId/AutoTrigger` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
There are four types of name-based triggers:
- Short name: for example, if *HRweb* is configured as a trigger, and the stack sees a DNS resolution request for *HRweb*, the VPN triggers
- Fully qualified domain name (FQDN): for example, if *HRweb.corp.contoso.com* is configured as a trigger, and the stack sees a DNS resolution request for *HRweb.corp.contoso.com*, the VPN triggers
- Suffix: for example, if *.corp.contoso.com* is configured as a trigger, and the stack sees a DNS resolution request with a matching suffix (such as *HRweb.corp.contoso.com*), the VPN triggers. For any short name resolution, VPN triggers, and the DNS servers are queried for the *<ShortName\>.corp.contoso.com*
- All: if used, all DNS resolution triggers VPN
## Always On
Always On is a Windows feature that enables the active VPN profile to connect automatically on the following triggers:
- User sign-in
- Network change
- Device screen on
When the trigger occurs, VPN tries to connect. If an error occurs, or any user input is needed, the user sees a toast notification for more interaction.
When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings > Network & Internet > VPN > <VPN profile\>** by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile, and therefore only one user, is able to use the Always On triggers.
## Preserving user Always On preference
Another Windows feature is to preserve a user's Always On preference. If a user manually unchecks the **Connect automatically** checkbox, Windows remembers the user preference for the profile name by adding the profile name to the registry value *AutoTriggerDisabledProfilesList*.
If a management tool removes or adds the same profile name back and set **AlwaysOn** to **true**, Windows doesn't check the box if the profile name exists in the following registry value, in order to preserve user preference.
**Key:** `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config`\
**Value:** `AutoTriggerDisabledProfilesList`\
**Type:** `REG_MULTI_SZ`
## Trusted network detection
The **Trusted network detection** feature configures the VPN so that connection isn't triggered when a device is on a trusted network. To configure Trusted network detection, you must provide a list of DNS suffixes. The VPN stack verifies the network name of the physical interface connection profile: if it matches any of the suffixes configured in the list and the network is private or provisioned by MDM, then VPN doesn't trigger.
Trusted network detection can be configured using the `VPNv2/<ProfileName>/TrustedNetworkDetection` setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
## Configure app-triggered VPN
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows associating apps to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-app-trigger.png" alt-text="Creation of VPN profile in Intune: application association options." lightbox="images/vpn-app-trigger.png":::
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

33
windows/security/identity-protection/vpn/vpn-conditional-access.md → windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.date: 09/23/2021
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
ms.date: 05/23/2023
ms.topic: conceptual
---
@ -15,30 +15,25 @@ The VPN client is now able to integrate with the cloud-based Conditional Access
Conditional Access Platform components used for Device Compliance include the following cloud-based services:
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
- [Windows Health Attestation Service](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md#device-health-attestation) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
- Encryption compliance
- Device health attestation state (validated against attestation service after query)
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
- Encryption compliance
- Device health attestation state (validated against attestation service after query)
The following client-side components are also required:
- [HealthAttestation Configuration Service Provider (CSP)](/windows/client-management/mdm/healthattestation-csp)
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) DeviceCompliance node settings
- Trusted Platform Module (TPM)
## VPN device compliance
## VPN device compliance
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
@ -47,7 +42,7 @@ Server-side infrastructure requirements to support VPN device compliance include
- The VPN server should be configured for certificate authentication.
- The VPN server should trust the tenant-specific Azure AD CA.
- For client access using Kerberos/NTLM, a domain-trusted certificate is deployed to the client device and is configured to be used for single sign-on (SSO).
After the server side is set up, VPN admins can add the policy settings for conditional access to the VPN profile using the VPNv2 DeviceCompliance node.
Two client-side configuration service providers are leveraged for VPN device compliance.
@ -90,14 +85,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Azure Active Directory conditional access](/azure/active-directory/conditional-access/overview)
- [Getting started with Azure Active Directory Conditional Access](/azure/active-directory/authentication/tutorial-enable-azure-mfa)
- [Control the health of Windows 10-based devices](../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
- Control the health of Windows 11-based devices
- [Control the health of Windows devices](../../../threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 1)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 2)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-2)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related topics
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)

57
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md Normal file
View File

@ -0,0 +1,57 @@
---
title: VPN connection types (Windows 10 and Windows 11)
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/24/2022
ms.topic: conceptual
---
# VPN connection types
VPNs are point-to-point connections across a private or public network, like the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called *tunneling protocols*, to make a virtual call to a virtual port on a VPN server. In a typical VPN deployment, a client initiates a virtual point-to-point connection to a remote access server over the Internet. The remote access server answers the call, authenticates the caller, and transfers data between the VPN client and the organization's private network.
There are many options for VPN clients. In Windows, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This article focuses on the Windows VPN platform clients and the features that can be configured.
![VPN connection types.](images/vpn-connection.png)
## Built-in VPN client
Tunneling protocols:
- [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
- [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
- [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))
- [SSTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687819(v=ws.10)): SSTP can't be configured using MDM, but it's one of the protocols attempted in the **Automatic** option
> [!NOTE]
> When a VPN plug-in is used, the adapter will be listed as an SSTP adapter, even though the VPN protocol used is the plug-in's protocol.
- Automatic: the **Automatic** option means that the device tries each of the built-in tunneling protocols until one succeeds. It attempts from most secure to least secure. Configure **Automatic** for the **NativeProtocolType** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
## Universal Windows Platform VPN plug-in
Using the UWP platform, third-party VPN providers can create app-containerized plug-ins using WinRT APIs, eliminating the complexity and problems often associated with writing to system-level drivers.
There are many Universal Windows Platform VPN applications, such as Pulse Secure, Cisco AnyConnect, F5 Access, Sonicwall Mobile Connect, and Check Point Capsule. If you want to use a UWP VPN plug-in, work with your vendor for any custom settings needed to configure your VPN solution.
## Configure connection type
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
> [!div class="mx-imgBorder"]
> ![Available connection types.](images/vpn-connection-intune.png)
In Intune, you can also include custom XML for third-party plug-in profiles:
> [!div class="mx-imgBorder"]
> ![Custom XML.](images/vpn-custom-xml-intune.png)
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

13
windows/security/identity-protection/vpn/vpn-guide.md → windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,20 +1,20 @@
---
title: Windows VPN technical guide
description: Learn about decisions to make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment.
ms.date: 02/21/2022
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/24/2023
ms.topic: conceptual
---
# Windows VPN technical guide
This guide will walk you through the decisions you will make for Windows 10 or Windows 11 clients in your enterprise VPN solution and how to configure your deployment. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune and the VPN Profile template for Windows 10 and Windows 11.
This guide walks you through the decisions to make for Windows clients in your organization's VPN solution, and how to configure your devices. This guide references the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp) and provides mobile device management (MDM) configuration instructions using Microsoft Intune.
To create a Windows 10 VPN device configuration profile see: [Windows 10 and Windows Holographic device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).
To create a Windows VPN device configuration profile see: [Windows device settings to add VPN connections using Intune](/mem/intune/configuration/vpn-settings-windows-10).
> [!NOTE]
> This guide does not explain server deployment.
[!INCLUDE [virtual-private-network-vpn](../../../../includes/licensing/virtual-private-network-vpn.md)]
[!INCLUDE [virtual-private-network-vpn](../../../../../includes/licensing/virtual-private-network-vpn.md)]
## In this guide
@ -29,7 +29,6 @@ To create a Windows 10 VPN device configuration profile see: [Windows 10 and Win
| [VPN security features](vpn-security-features.md) | Configure traffic filtering, connect a VPN profile to Windows Information Protection (WIP), and more |
| [VPN profile options](vpn-profile-options.md) | Combine settings into single VPN profile using XML |
## Learn more
- [Create VPN profiles to connect to VPN servers in Intune](/mem/intune/configuration/vpn-settings-configure)

71
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md Normal file
View File

@ -0,0 +1,71 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/24/2023
ms.topic: conceptual
---
# VPN name resolution
When the VPN client establishes a connection, it receives an IP address and, optionally, the IP address of one or more DNS servers.
The name resolution setting in the VPN profile determines how name resolution works on the system when the VPN connection is established:
1. The network stack looks at the Name Resolution Policy table (NRPT) for any matches, and tries a resolution if a match is found
1. If no match is found, the DNS suffix on the most preferred interface based on the interface metric is appended to the name (if a short name is used). A DNS query is sent to the preferred interface
1. If the query times out, the DNS suffix search list is used in order and DNS queries are sent on all interfaces
## Name Resolution Policy table (NRPT)
The NRPT is a table of namespaces that determines the DNS client's behavior when issuing name resolution queries and processing responses. It's the first place that the stack will look after the DNSCache.
There are three types of name matches that can set up for NRPT:
- Fully qualified domain name (FQDN) that can be used for direct matching to a name
- Suffix match results in either a comparison of suffixes (for FQDN resolution) or the appending of the suffix (if using short name)
- Any resolution should attempt to first resolve with the proxy server/DNS server with this entry
NRPT is set using the `VPNv2/<ProfileName>/DomainNameInformationList` node of the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp). You can use the same node to configure a Web proxy server or DNS.
To learn more about NRPT, see [Introduction to the NRPT](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee649207(v=ws.10)).
## DNS suffix
The DNS suffix setting is used to configure the primary DNS suffix for the VPN interface and the suffix search list after the VPN connection is established.
Primary DNS suffix is set using the `VPNv2/<ProfileName>/DnsSuffix` node.
[Learn more about primaryDNS suffix](/previous-versions/windows/it-pro/windows-2000-server/cc959611(v=technet.10))
## Persistent name resolution rules
You can configure *persistent* name resolution rules. Name resolution for the specified items is done over the VPN.
Persistent name resolution is set using the `VPNv2/<ProfileName>/DomainNameInformationList/<dniRowId>/Persistent` node.
## Configure name resolution
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
:::image type="content" source="images/vpn-name-intune.png" alt-text="Creation of VPN profile in Intune: DNS options." lightbox="images/vpn-name-intune.png":::
The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
| Field | XML |
| --- | --- |
| **Name** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DomainName** |
| **Servers (comma separated)** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/DnsServers** |
| **Proxy server** | **VPNv2/*ProfileName*/DomainNameInformationList/*dniRowId*/WebServers** |
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

52
windows/security/identity-protection/vpn/vpn-office-365-optimization.md → windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -1,17 +1,17 @@
---
title: Optimizing Office 365 traffic for remote workers with the native Windows VPN client
description: Learn how to optimize Office 365 traffic for remote workers with the native Windows VPN client
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: article
ms.date: 09/23/2021
ms.date: 05/24/2023
---
# Optimizing Office 365 traffic for remote workers with the native Windows 10 and Windows 11 VPN client
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
This article describes how to configure the recommendations in the article [Optimize Office 365 connectivity for remote users using VPN split tunneling](/office365/enterprise/office-365-vpn-split-tunnel) for the *native Windows 10 and Windows 11 VPN client*. This guidance enables VPN administrators to optimize Office 365 usage while still ensuring that all other traffic goes over the VPN connection and through existing security gateways and tooling.
This article describes how to configure the recommendations in the article [VPN split tunneling for Microsoft 365](/microsoft-365/enterprise/microsoft-365-vpn-split-tunnel) for the Windows VPN client. This guidance enables VPN administrators to optimize Microsoft 365 usage while ensuring that all other traffic goes over the VPN connection and through existing security gateways or tooling.
This can be achieved for the native/built-in Windows 10 and Windows 11 VPN client using a _Force Tunneling with Exclusions_ approach. This allows you to define IP-based exclusions *even when using force tunneling* in order to "split" certain traffic to use the physical interface while still forcing all other traffic via the VPN interface. Traffic addressed to specifically defined destinations (like those listed in the Office 365 optimize categories) will therefore follow a much more direct and efficient path, without the need to traverse or "hairpin" via the VPN tunnel and back out of the corporate network. For cloud-services like Office 365, this makes a huge difference in performance and usability for remote users.
The recommendations can be implemented for the built-in Windows VPN client using a *Force Tunneling with Exclusions* approach, defining IP-based exclusions even when using *force tunneling*. Certain traffic can be *split* to use the physical interface, while still forcing all other traffic via the VPN interface. Traffic addressed to defined destinations (like those listed in the Microsoft 365 optimized categories) follows a much more direct and efficient path, without the need to traverse or *hairpin* via the VPN tunnel and back out of the organization's network. For cloud-services like Microsoft 365, this makes a significant difference in performance and usability for remote users.
> [!NOTE]
> The term _force tunneling with exclusions_ is sometimes confusingly called "split tunnels" by other vendors and in some online documentation. For Windows 10 and Windows 11 VPN, the term _split tunneling_ is defined differently as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).
> The term *force tunneling with exclusions* is sometimes confusingly called *split tunnels* by other vendors and in some online documentation. For Windows VPN, the term *split tunneling* is defined differently, as described in the article [VPN routing decisions](./vpn-routing.md#split-tunnel-configuration).
## Solution Overview
@ -35,9 +35,9 @@ In order to define specific force tunnel exclusions, you then need to add the fo
</Route>
```
Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You will need to define a unique and separate `<Route></Route>` section for each required exclusion.
Entries defined by the `[IP Addresses or Subnet]` and `[IP Prefix]` references will consequently be added to the routing table as _more specific route entries_ that will use the Internet-connected interface as the default gateway, as opposed to using the VPN interface. You must define a unique and separate `<Route></Route>` section for each required exclusion.
An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is shown below:
An example of a correctly formatted Profile XML configuration for force tunnel with exclusions is the following:
```xml
<VPNProfile>
@ -62,11 +62,11 @@ An example of a correctly formatted Profile XML configuration for force tunnel w
## Solution Deployment
For Office 365, it is therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](/office365/enterprise/urls-and-ip-address-ranges) to ensure that they are excluded from VPN force tunneling.
For Microsoft 365, it's therefore necessary to add exclusions for all IP addresses documented within the optimize categories described in [Office 365 URLs and IP address ranges](/microsoft-365/enterprise/urls-and-ip-address-ranges) to ensure that they're excluded from VPN force tunneling.
This can be achieved manually by adding the IP addresses defined within the *optimize* category entries to an existing Profile XML (or script) file, or alternatively the following script can be used which dynamically adds the required entries to an existing PowerShell script, or XML file, based upon directly querying the REST-based web service to ensure the correct IP address ranges are always used.
An example of a PowerShell script that can be used to update a force tunnel VPN connection with Office 365 exclusions is provided below.
An example of a PowerShell script that can be used to update a force tunnel VPN connection with Microsoft 365 exclusions is provided below.
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
@ -79,9 +79,9 @@ An example of a PowerShell script that can be used to update a force tunnel VPN
<#
.SYNOPSIS
Applies or updates recommended Office 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile
Applies or updates recommended Microsoft 365 optimize IP address exclusions to an existing force tunnel Windows 10 and Windows 11 VPN profile
.DESCRIPTION
Connects to the Office 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
Connects to the Microsoft 365 worldwide commercial service instance endpoints to obtain the latest published IP address ranges
Compares the optimized IP addresses with those contained in the supplied VPN Profile (PowerShell or XML file)
Adds or updates IP addresses as necessary and saves the resultant file with "-NEW" appended to the file name
.PARAMETERS
@ -170,7 +170,7 @@ if ( $VPNprofilefile -ne "" -and $FileExtension -eq ".ps1")
}
}
# Define Office 365 endpoints and service URLs #
# Define Microsoft 365 endpoints and service URLs #
$ws = "https://endpoints.office.com"
$baseServiceUrl = "https://endpoints.office.com"
@ -198,7 +198,7 @@ if ($version[0].latest -gt $lastVersion)
{
Write-Host
Write-Host "A new version of Office 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan
Write-Host "A new version of Microsoft 365 worldwide commercial service instance endpoints has been detected!" -ForegroundColor Cyan
# Write the new version number to the data file #
@($clientRequestId, $version[0].latest) | Out-File $datapath
@ -415,29 +415,13 @@ if ($VPNprofilefile -ne "" -and $FileExtension -eq ".xml")
}
```
## Version Support
This solution is supported with the following versions of Windows:
- Windows 11
- Windows 10 1903/1909 and newer: Included, no action needed
- Windows 10 1809: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 1803: At least [KB4493437](https://support.microsoft.com/help/4493437/windows-10-update-kb4493437)
- Windows 10 1709 and lower: Exclusion routes are not supported
- Windows 10 Enterprise 2019 LTSC: At least [KB4490481](https://support.microsoft.com/help/4490481/windows-10-update-kb4490481)
- Windows 10 Enterprise 2016 LTSC: Exclusion routes are not supported
- Windows 10 Enterprise 2015 LTSC: Exclusion routes are not supported
Microsoft strongly recommends that the latest available Windows 10 cumulative update always be applied.
## Other Considerations
You should also be able to adapt this approach to include necessary exclusions for other cloud-services that can be defined by known/static IP addresses; exclusions required for [Cisco WebEx](https://help.webex.com/WBX000028782/Network-Requirements-for-Webex-Teams-Services) or [Zoom](https://support.zoom.us/hc/en-us/articles/201362683) are good examples.
## Examples
An example of a PowerShell script that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script:
An example of a PowerShell script that can be used to create a force tunnel VPN connection with Microsoft 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial PowerShell script:
```powershell
# Copyright (c) Microsoft Corporation. All rights reserved.
@ -462,7 +446,7 @@ An example of a PowerShell script that can be used to create a force tunnel VPN
#>
<#-- Define Key VPN Profile Parameters --#>
$ProfileName = 'Contoso VPN with Office 365 Exclusions'
$ProfileName = 'Contoso VPN with Microsoft 365 Exclusions'
$ProfileNameEscaped = $ProfileName -replace ' ', '%20'
<#-- Define VPN ProfileXML --#>
@ -656,7 +640,7 @@ Write-Host "$Message"
```
An example of an [Intune-ready XML file](./vpn-profile-options.md#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Office 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file.
An example of an [Intune-ready XML file](./vpn-profile-options.md#apply-profilexml-using-intune) that can be used to create a force tunnel VPN connection with Microsoft 365 exclusions is provided below, or refer to the guidance in [Create the ProfileXML configuration files](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/vpn-deploy-client-vpn-connections#create-the-profilexml-configuration-files) to create the initial XML file.
>[!NOTE]
>This XML is formatted for use with Intune and cannot contain any carriage returns or whitespace.

0
windows/security/identity-protection/vpn/vpn-profile-options.md → windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

55
windows/security/operating-system-security/network-security/vpn/vpn-routing.md Normal file
View File

@ -0,0 +1,55 @@
---
ms.date: 05/24/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual
---
# VPN routing decisions
Network routes are required for the stack to understand which interface to use for outbound traffic. One of the most important decision points for VPN configuration is whether you want to send all the data through VPN (*force tunnel*) or only some data through the VPN (*split tunnel*). The decision impacts the configuration, capacity planning, and security expectations from the connection.
## Split tunnel configuration
In a split tunnel configuration, routes can be specified to go over VPN and all other traffic will go over the physical interface.
Routes can be configured using the `VPNv2/<ProfileName>/RouteList` setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
For each route item in the list, you can configure the following options:
- **Address**: `VPNv2/<ProfileName>/RouteList/<routeRowId>/Address`
- **Prefix size**: `VPNv2/<ProfileName>/RouteList/<routeRowId>/Prefix`
- **Exclusion route**: V`VPNv2/<ProfileName>/RouteList/<routeRowId>/ExclusionRoute`
With Windows VPN, you can specify exclusion routes that shouldn't go over the physical interface.
Routes can also be added at connect time through the server for UWP VPN apps.
## Force tunnel configuration
In a force tunnel configuration, all traffic will go over VPN. Force tunnel is the default configuration, and takes effect when no routes are specified.
The only implication of force tunnel is the manipulation of routing entries: VPN V4 and V6 default routes (for example *0.0.0.0/0*) are added to the routing table with a lower metric than ones for other interfaces. This configuration sends traffic through the VPN as long as there isn't a specific route on the physical interface:
- For built-in VPN, the decision is controlled using the MDM setting `VPNv2/ProfileName/NativeProfile/RoutingPolicyType`
- For a UWP VPN plug-in, the app controls the property. If the VPN plug-in indicates the default route for IPv4 and IPv6 as the only two Inclusion routes, the VPN platform marks the connection as Force Tunneled
## Configure routing
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
When you configure a VPN profile in Microsoft Intune, you can enable split tunnel configuration:
![split tunnel.](images/vpn-split.png)
Once enabled, you can add the routes that should use the VPN connection.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
- [VPN profile options](vpn-profile-options.md)

68
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md Normal file
View File

@ -0,0 +1,68 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/24/2023
ms.topic: conceptual
---
# VPN security features
## Hyper-V based containers and VPN
Windows supports different kinds of Hyper-V based containers, like Microsoft Defender Application Guard and Windows Sandbox. When you use a third party VPN solution, the Hyper-V based containers may not be able to seamlessly connect to the internet, and configuration changes may be needed to resolve connectivity issues.
For example, read about the workaround for Cisco AnyConnect VPN: [Cisco AnyConnect Secure Mobility Client Administrator Guide: Connectivity issues with VM-based subsystems](https://www.cisco.com/c/en/us/td/docs/security/vpn_client/anyconnect/anyconnect410/administration/guide/b-anyconnect-admin-guide-4-10/troubleshoot-anyconnect.html#Cisco_Task_in_List_GUI.dita_3a9a8101-f034-4e9b-b24a-486ee47b5e9f).
## Traffic Filters
Traffic Filters enables organizations to decide what traffic is allowed into the corporate network based on policy. IT admins can use Traffic Filters to apply interface-specific firewall rules to the VPN Interface.
There are two types of Traffic Filter rules:
- **App-based rules** consist of a list of applications that can be marked to only allow traffic originating from the apps to the VPN interface
- **Traffic-based rules** consist of 5-tuple policies (ports, addresses, protocol) that can be specified to only allow traffic matching the rules to go through the VPN interface
There can be sets of rules linked by *OR*. Within each set, there can be app-based rules and traffic-based rules.\
All the properties within the set are linked by *AND*. The rules can be applied at a per-app level or a per-device level.
For example, an IT admin could define rules that specify:
- An *HR App* is allowed to go through the VPN and only access port *4545*
- The *Finance apps* are allowed to through the VPN and only access the Remote IP ranges of *10.10.0.40 - 10.10.0.201* on port *5889*
- All other apps on the device can only access ports *80* or *443*
## Configure traffic filters
See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp) for XML configuration.
The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
:::image type="content" source="images/vpn-traffic-rules.png" alt-text="VPN profile creation from Microsoft Intune admin center." lightbox="images/vpn-traffic-rules.png":::
## LockDown VPN
A VPN profile configured with LockDown secures the device to only allow network traffic over the VPN interface. It has the following features:
- The system attempts to always keep the VPN connected
- The user can't disconnect the VPN connection
- The user can't delete or modify the VPN profile
- The VPN LockDown profile uses forced tunnel connection
- If the VPN connection isn't available, outbound network traffic is blocked
- Only one VPN LockDown profile is allowed on a device
> [!NOTE]
> For built-in VPN, LockDown VPN is only available for the Internet Key Exchange version 2 (IKEv2) connection type.
> [!CAUTION]
> Be careful when deploying LockDown VPN, as the resultant connection won't be able to send or receive any network traffic without the VPN connection being established.
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)
- [VPN routing decisions](vpn-routing.md)
- [VPN authentication options](vpn-authentication.md)
- [VPN and conditional access](vpn-conditional-access.md)
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN profile options](vpn-profile-options.md)

252
windows/security/operating-system-security/network-security/windows-firewall/TOC.yml Normal file
View File

@ -0,0 +1,252 @@
items:
- name: Overview
href: windows-firewall-with-advanced-security.md
- name: Plan deployment
items:
- name: Design guide
href: windows-firewall-with-advanced-security-design-guide.md
- name: Design process
href: understanding-the-windows-firewall-with-advanced-security-design-process.md
- name: Implementation goals
items:
- name: Identify implementation goals
href: identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
- name: Protect devices from unwanted network traffic
href: protect-devices-from-unwanted-network-traffic.md
- name: Restrict access to only trusted devices
href: restrict-access-to-only-trusted-devices.md
- name: Require encryption
href: require-encryption-when-accessing-sensitive-network-resources.md
- name: Restrict access
href: restrict-access-to-only-specified-users-or-devices.md
- name: Implementation designs
items:
- name: Mapping goals to a design
href: mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md
- name: Basic firewall design
href: basic-firewall-policy-design.md
items:
- name: Basic firewall design example
href: firewall-policy-design-example.md
- name: Domain isolation design
href: domain-isolation-policy-design.md
items:
- name: Domain isolation design example
href: domain-isolation-policy-design-example.md
- name: Server isolation design
href: server-isolation-policy-design.md
items:
- name: Server Isolation design example
href: server-isolation-policy-design-example.md
- name: Certificate-based isolation design
href: certificate-based-isolation-policy-design.md
items:
- name: Certificate-based Isolation design example
href: certificate-based-isolation-policy-design-example.md
- name: Design planning
items:
- name: Planning your design
href: planning-your-windows-firewall-with-advanced-security-design.md
- name: Planning settings for a basic firewall policy
href: planning-settings-for-a-basic-firewall-policy.md
- name: Planning domain isolation zones
items:
- name: Domain isolation zones
href: planning-domain-isolation-zones.md
- name: Exemption list
href: exemption-list.md
- name: Isolated domain
href: isolated-domain.md
- name: Boundary zone
href: boundary-zone.md
- name: Encryption zone
href: encryption-zone.md
- name: Planning server isolation zones
href: planning-server-isolation-zones.md
- name: Planning certificate-based authentication
href: planning-certificate-based-authentication.md
items:
- name: Documenting the Zones
href: documenting-the-zones.md
- name: Planning group policy deployment for your isolation zones
href: planning-group-policy-deployment-for-your-isolation-zones.md
items:
- name: Planning isolation groups for the zones
href: planning-isolation-groups-for-the-zones.md
- name: Planning network access groups
href: planning-network-access-groups.md
- name: Planning the GPOs
href: planning-the-gpos.md
items:
- name: Firewall GPOs
href: firewall-gpos.md
items:
- name: GPO_DOMISO_Firewall
href: gpo-domiso-firewall.md
- name: Isolated domain GPOs
href: isolated-domain-gpos.md
items:
- name: GPO_DOMISO_IsolatedDomain_Clients
href: gpo-domiso-isolateddomain-clients.md
- name: GPO_DOMISO_IsolatedDomain_Servers
href: gpo-domiso-isolateddomain-servers.md
- name: Boundary zone GPOs
href: boundary-zone-gpos.md
items:
- name: GPO_DOMISO_Boundary
href: gpo-domiso-boundary.md
- name: Encryption zone GPOs
href: encryption-zone-gpos.md
items:
- name: GPO_DOMISO_Encryption
href: gpo-domiso-encryption.md
- name: Server isolation GPOs
href: server-isolation-gpos.md
- name: Planning GPO deployment
href: planning-gpo-deployment.md
- name: Planning to deploy
href: planning-to-deploy-windows-firewall-with-advanced-security.md
- name: Deployment guide
items:
- name: Deployment overview
href: windows-firewall-with-advanced-security-deployment-guide.md
- name: Implementing your plan
href: implementing-your-windows-firewall-with-advanced-security-design-plan.md
- name: Basic firewall deployment
items:
- name: "Checklist: Implementing a basic firewall policy design"
href: checklist-implementing-a-basic-firewall-policy-design.md
- name: Domain isolation deployment
items:
- name: "Checklist: Implementing a Domain Isolation Policy Design"
href: checklist-implementing-a-domain-isolation-policy-design.md
- name: Server isolation deployment
items:
- name: "Checklist: Implementing a Standalone Server Isolation Policy Design"
href: checklist-implementing-a-standalone-server-isolation-policy-design.md
- name: Certificate-based authentication
items:
- name: "Checklist: Implementing a Certificate-based Isolation Policy Design"
href: checklist-implementing-a-certificate-based-isolation-policy-design.md
- name: Best practices
items:
- name: Configuring the firewall
href: best-practices-configuring.md
- name: Securing IPsec
href: securing-end-to-end-ipsec-connections-by-using-ikev2.md
- name: PowerShell
href: windows-firewall-with-advanced-security-administration-with-windows-powershell.md
- name: Isolating Microsoft Store Apps on Your Network
href: isolating-apps-on-your-network.md
- name: How-to
items:
- name: Add Production devices to the membership group for a zone
href: add-production-devices-to-the-membership-group-for-a-zone.md
- name: Add test devices to the membership group for a zone
href: add-test-devices-to-the-membership-group-for-a-zone.md
- name: Assign security group filters to the GPO
href: assign-security-group-filters-to-the-gpo.md
- name: Change rules from request to require mode
href: Change-Rules-From-Request-To-Require-Mode.Md
- name: Configure authentication methods
href: Configure-authentication-methods.md
- name: Configure data protection (Quick Mode) settings
href: configure-data-protection-quick-mode-settings.md
- name: Configure Group Policy to autoenroll and deploy certificates
href: configure-group-policy-to-autoenroll-and-deploy-certificates.md
- name: Configure key exchange (main mode) settings
href: configure-key-exchange-main-mode-settings.md
- name: Configure the rules to require encryption
href: configure-the-rules-to-require-encryption.md
- name: Configure the Windows Firewall log
href: configure-the-windows-firewall-log.md
- name: Configure the workstation authentication certificate template
href: configure-the-workstation-authentication-certificate-template.md
- name: Configure Windows Firewall to suppress notifications when a program is blocked
href: configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
- name: Confirm that certificates are deployed correctly
href: confirm-that-certificates-are-deployed-correctly.md
- name: Copy a GPO to create a new GPO
href: copy-a-gpo-to-create-a-new-gpo.md
- name: Create a Group Account in Active Directory
href: create-a-group-account-in-active-directory.md
- name: Create a Group Policy Object
href: create-a-group-policy-object.md
- name: Create an authentication exemption list rule
href: create-an-authentication-exemption-list-rule.md
- name: Create an authentication request rule
href: create-an-authentication-request-rule.md
- name: Create an inbound ICMP rule
href: create-an-inbound-icmp-rule.md
- name: Create an inbound port rule
href: create-an-inbound-port-rule.md
- name: Create an inbound program or service rule
href: create-an-inbound-program-or-service-rule.md
- name: Create an outbound port rule
href: create-an-outbound-port-rule.md
- name: Create an outbound program or service rule
href: create-an-outbound-program-or-service-rule.md
- name: Create inbound rules to support RPC
href: create-inbound-rules-to-support-rpc.md
- name: Create WMI filters for the GPO
href: create-wmi-filters-for-the-gpo.md
- name: Create Windows Firewall rules in Intune
href: create-windows-firewall-rules-in-intune.md
- name: Enable predefined inbound rules
href: enable-predefined-inbound-rules.md
- name: Enable predefined outbound rules
href: enable-predefined-outbound-rules.md
- name: Exempt ICMP from authentication
href: exempt-icmp-from-authentication.md
- name: Link the GPO to the domain
href: link-the-gpo-to-the-domain.md
- name: Modify GPO filters
href: modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md
- name: Open IP security policies
href: open-the-group-policy-management-console-to-ip-security-policies.md
- name: Open Group Policy
href: open-the-group-policy-management-console-to-windows-firewall.md
- name: Open Group Policy
href: open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md
- name: Open Windows Firewall
href: open-windows-firewall-with-advanced-security.md
- name: Restrict server access
href: restrict-server-access-to-members-of-a-group-only.md
- name: Enable Windows Firewall
href: turn-on-windows-firewall-and-configure-default-behavior.md
- name: Verify Network Traffic
href: verify-that-network-traffic-is-authenticated.md
- name: References
items:
- name: "Checklist: Creating Group Policy objects"
href: checklist-creating-group-policy-objects.md
- name: "Checklist: Creating inbound firewall rules"
href: checklist-creating-inbound-firewall-rules.md
- name: "Checklist: Creating outbound firewall rules"
href: checklist-creating-outbound-firewall-rules.md
- name: "Checklist: Configuring basic firewall settings"
href: checklist-configuring-basic-firewall-settings.md
- name: "Checklist: Configuring rules for the isolated domain"
href: checklist-configuring-rules-for-the-isolated-domain.md
- name: "Checklist: Configuring rules for the boundary zone"
href: checklist-configuring-rules-for-the-boundary-zone.md
- name: "Checklist: Configuring rules for the encryption zone"
href: checklist-configuring-rules-for-the-encryption-zone.md
- name: "Checklist: Configuring rules for an isolated server zone"
href: checklist-configuring-rules-for-an-isolated-server-zone.md
- name: "Checklist: Configuring rules for servers in a standalone isolated server zone"
href: checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
- name: "Checklist: Creating rules for clients of a standalone isolated server zone"
href: checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
- name: "Appendix A: Sample GPO template files for settings used in this guide"
href: appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
- name: Troubleshooting
items:
- name: Troubleshooting UWP app connectivity issues in Windows Firewall
href: troubleshooting-uwp-firewall.md
- name: Filter origin audit log improvements
href: filter-origin-documentation.md
- name: Quarantine behavior
href: quarantine.md
- name: Firewall settings lost on upgrade
href: firewall-settings-lost-on-upgrade.md

3
windows/security/threat-protection/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md → windows/security/operating-system-security/network-security/windows-firewall/add-production-devices-to-the-membership-group-for-a-zone.md
View File

@ -4,9 +4,6 @@ description: Learn how to add production devices to the membership group for a z
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Add Production Devices to the Membership Group for a Zone

3
windows/security/threat-protection/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md → windows/security/operating-system-security/network-security/windows-firewall/add-test-devices-to-the-membership-group-for-a-zone.md
View File

@ -4,9 +4,6 @@ description: Learn how to add devices to the group for a zone to test whether yo
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Add Test Devices to the Membership Group for a Zone

3
windows/security/threat-protection/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md → windows/security/operating-system-security/network-security/windows-firewall/appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md
View File

@ -4,9 +4,6 @@ description: Use sample template files import an XML file containing customized
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Appendix A: Sample GPO Template Files for Settings Used in this Guide

3
windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md → windows/security/operating-system-security/network-security/windows-firewall/assign-security-group-filters-to-the-gpo.md
View File

@ -7,9 +7,6 @@ ms.collection:
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Assign Security Group Filters to the GPO

3
windows/security/threat-protection/windows-firewall/basic-firewall-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/basic-firewall-policy-design.md
View File

@ -3,9 +3,6 @@ title: Basic Firewall Policy Design
description: Protect the devices in your organization from unwanted network traffic that gets through the perimeter defenses by using basic firewall policy design.
ms.prod: windows-client
ms.topic: conceptual
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
ms.date: 12/31/2017
---

3
windows/security/threat-protection/windows-firewall/best-practices-configuring.md → windows/security/operating-system-security/network-security/windows-firewall/best-practices-configuring.md
View File

@ -7,9 +7,6 @@ ms.collection:
- highpri
- tier3
ms.topic: article
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Best practices for configuring Windows Defender Firewall

3
windows/security/threat-protection/windows-firewall/boundary-zone-gpos.md → windows/security/operating-system-security/network-security/windows-firewall/boundary-zone-gpos.md
View File

@ -4,9 +4,6 @@ description: Learn about GPOs to create that must align with the group you creat
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Boundary Zone GPOs

3
windows/security/threat-protection/windows-firewall/boundary-zone.md → windows/security/operating-system-security/network-security/windows-firewall/boundary-zone.md
View File

@ -4,9 +4,6 @@ description: Learn how a boundary zone supports devices that must receive traffi
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Boundary Zone

3
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design-example.md → windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -4,9 +4,6 @@ description: This example uses a fictitious company to illustrate certificate-ba
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Certificate-based Isolation Policy Design Example

3
windows/security/threat-protection/windows-firewall/certificate-based-isolation-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -4,9 +4,6 @@ description: Explore the methodology behind Certificate-based Isolation Policy D
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Certificate-based isolation policy design

3
windows/security/threat-protection/windows-firewall/change-rules-from-request-to-require-mode.md → windows/security/operating-system-security/network-security/windows-firewall/change-rules-from-request-to-require-mode.md
View File

@ -4,9 +4,6 @@ description: Learn how to convert a rule from request to require mode and apply
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Change Rules from Request to Require Mode

3
windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-basic-firewall-settings.md
View File

@ -4,9 +4,6 @@ description: Configure Windows Firewall to set inbound and outbound behavior, di
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Basic Firewall Settings

3
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-an-isolated-server-zone.md
View File

@ -4,9 +4,6 @@ description: Use these tasks to configure connection security rules and IPsec se
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Rules for an Isolated Server Zone

3
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md
View File

@ -4,9 +4,6 @@ description: Checklist Configuring Rules for Servers in a Standalone Isolated Se
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone

3
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-boundary-zone.md
View File

@ -4,9 +4,6 @@ description: Use these tasks to configure connection security rules and IPsec se
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Rules for the Boundary Zone

3
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-encryption-zone.md
View File

@ -4,9 +4,6 @@ description: Use these tasks to configure connection security rules and IPsec se
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Rules for the Encryption Zone

3
windows/security/threat-protection/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-configuring-rules-for-the-isolated-domain.md
View File

@ -4,9 +4,6 @@ description: Use these tasks to configure connection security rules and IPsec se
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Configuring Rules for the Isolated Domain

3
windows/security/threat-protection/windows-firewall/checklist-creating-group-policy-objects.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-group-policy-objects.md
View File

@ -4,9 +4,6 @@ description: Learn to deploy firewall settings, IPsec settings, firewall rules,
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Creating Group Policy Objects

3
windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-inbound-firewall-rules.md
View File

@ -4,9 +4,6 @@ description: Use these tasks for creating inbound firewall rules in your GPOs fo
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Creating Inbound Firewall Rules

3
windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-outbound-firewall-rules.md
View File

@ -4,9 +4,6 @@ description: Use these tasks for creating outbound firewall rules in your GPOs f
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Creating Outbound Firewall Rules

3
windows/security/threat-protection/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md
View File

@ -4,9 +4,6 @@ description: Checklist for when creating rules for clients of a Standalone Isola
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone

3
windows/security/threat-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -4,9 +4,6 @@ description: Follow this parent checklist for implementing a basic firewall poli
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Implementing a Basic Firewall Policy Design

3
windows/security/threat-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -4,9 +4,6 @@ description: Use these references to learn about using certificates as an authen
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Implementing a Certificate-based Isolation Policy Design

3
windows/security/threat-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -4,9 +4,6 @@ description: Use these references to learn about the domain isolation policy des
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Implementing a Domain Isolation Policy Design

3
windows/security/threat-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -4,9 +4,6 @@ description: Use these tasks to create a server isolation policy design that isn
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Checklist: Implementing a Standalone Server Isolation Policy Design

3
windows/security/threat-protection/windows-firewall/configure-authentication-methods.md → windows/security/operating-system-security/network-security/windows-firewall/configure-authentication-methods.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure authentication methods for devices in an iso
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure Authentication Methods

3
windows/security/threat-protection/windows-firewall/configure-data-protection-quick-mode-settings.md → windows/security/operating-system-security/network-security/windows-firewall/configure-data-protection-quick-mode-settings.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure the data protection settings for connection
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure Data Protection (Quick Mode) Settings

3
windows/security/threat-protection/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md → windows/security/operating-system-security/network-security/windows-firewall/configure-group-policy-to-autoenroll-and-deploy-certificates.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure Group Policy to automatically enroll client
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure Group Policy to Autoenroll and Deploy Certificates

3
windows/security/threat-protection/windows-firewall/configure-key-exchange-main-mode-settings.md → windows/security/operating-system-security/network-security/windows-firewall/configure-key-exchange-main-mode-settings.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure the main mode key exchange settings used to
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure Key Exchange (Main Mode) Settings

3
windows/security/threat-protection/windows-firewall/configure-the-rules-to-require-encryption.md → windows/security/operating-system-security/network-security/windows-firewall/configure-the-rules-to-require-encryption.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure rules to add encryption algorithms and delet
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure the Rules to Require Encryption

3
windows/security/threat-protection/windows-firewall/configure-the-windows-firewall-log.md → windows/security/operating-system-security/network-security/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -4,9 +4,6 @@ description: Learn how to configure Windows Defender Firewall with Advanced Secu
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure the Windows Defender Firewall with Advanced Security Log

3
windows/security/threat-protection/windows-firewall/configure-the-workstation-authentication-certificate-template.md → windows/security/operating-system-security/network-security/windows-firewall/configure-the-workstation-authentication-certificate-template.md
View File

@ -3,9 +3,6 @@ title: Configure the Workstation Authentication Template
description: Learn how to configure a workstation authentication certificate template, which is used for device certificates that are enrolled and deployed to workstations.
ms.prod: windows-client
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
ms.topic: conceptual
---

3
windows/security/threat-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md → windows/security/operating-system-security/network-security/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -4,9 +4,6 @@ description: Configure Windows Defender Firewall with Advanced Security to suppr
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked

3
windows/security/threat-protection/windows-firewall/confirm-that-certificates-are-deployed-correctly.md → windows/security/operating-system-security/network-security/windows-firewall/confirm-that-certificates-are-deployed-correctly.md
View File

@ -4,9 +4,6 @@ description: Learn how to confirm that a Group Policy is being applied as expect
ms.prod: windows-client
ms.topic: conceptual
ms.date: 01/24/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Confirm That Certificates Are Deployed Correctly

3
windows/security/threat-protection/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md → windows/security/operating-system-security/network-security/windows-firewall/copy-a-gpo-to-create-a-new-gpo.md
View File

@ -4,9 +4,6 @@ description: Learn how to make a copy of a GPO by using the Active Directory Use
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Copy a GPO to Create a New GPO

3
windows/security/threat-protection/windows-firewall/create-a-group-account-in-active-directory.md → windows/security/operating-system-security/network-security/windows-firewall/create-a-group-account-in-active-directory.md
View File

@ -4,9 +4,6 @@ description: Learn how to create a security group for the computers that are to
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create a Group Account in Active Directory

3
windows/security/threat-protection/windows-firewall/create-a-group-policy-object.md → windows/security/operating-system-security/network-security/windows-firewall/create-a-group-policy-object.md
View File

@ -7,9 +7,6 @@ ms.collection:
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create a Group Policy Object

3
windows/security/threat-protection/windows-firewall/create-an-authentication-exemption-list-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-exemption-list-rule.md
View File

@ -4,9 +4,6 @@ description: Learn how to create rules that exempt devices that cannot communica
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Authentication Exemption List Rule

3
windows/security/threat-protection/windows-firewall/create-an-authentication-request-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-authentication-request-rule.md
View File

@ -4,9 +4,6 @@ description: Create a new rule for Windows Defender Firewall with Advanced Secur
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Authentication Request Rule

3
windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md
View File

@ -4,9 +4,6 @@ description: Learn how to allow inbound ICMP traffic by using the Group Policy M
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Inbound ICMP Rule

3
windows/security/threat-protection/windows-firewall/create-an-inbound-port-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-port-rule.md
View File

@ -7,9 +7,6 @@ ms.collection:
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Inbound Port Rule

3
windows/security/threat-protection/windows-firewall/create-an-inbound-program-or-service-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-inbound-program-or-service-rule.md
View File

@ -4,9 +4,6 @@ description: Learn how to allow inbound traffic to a program or service by using
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Inbound Program or Service Rule

3
windows/security/threat-protection/windows-firewall/create-an-outbound-port-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-port-rule.md
View File

@ -4,9 +4,6 @@ description: Learn to block outbound traffic on a port by using the Group Policy
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Outbound Port Rule

3
windows/security/threat-protection/windows-firewall/create-an-outbound-program-or-service-rule.md → windows/security/operating-system-security/network-security/windows-firewall/create-an-outbound-program-or-service-rule.md
View File

@ -4,9 +4,6 @@ description: Use the Windows Defender Firewall with Advanced Security node in th
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create an Outbound Program or Service Rule

3
windows/security/threat-protection/windows-firewall/create-inbound-rules-to-support-rpc.md → windows/security/operating-system-security/network-security/windows-firewall/create-inbound-rules-to-support-rpc.md
View File

@ -4,9 +4,6 @@ description: Learn how to allow RPC network traffic by using the Group Policy Ma
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create Inbound Rules to Support RPC

3
windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md → windows/security/operating-system-security/network-security/windows-firewall/create-windows-firewall-rules-in-intune.md
View File

@ -3,9 +3,6 @@ title: Create Windows Firewall rules in Intune
description: Learn how to use Intune to create rules in Windows Defender Firewall with Advanced Security. Start by creating a profile in Device Configuration in Intune.
ms.prod: windows-client
ms.topic: conceptual
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
ms.date: 12/31/2017
---

3
windows/security/threat-protection/windows-firewall/create-wmi-filters-for-the-gpo.md → windows/security/operating-system-security/network-security/windows-firewall/create-wmi-filters-for-the-gpo.md
View File

@ -7,9 +7,6 @@ ms.collection:
- tier3
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Create WMI Filters for the GPO

3
windows/security/threat-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md → windows/security/operating-system-security/network-security/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -4,9 +4,6 @@ description: Answer the question in this article to design an effective Windows
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Designing a Windows Defender Firewall with Advanced Security Strategy

3
windows/security/threat-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md → windows/security/operating-system-security/network-security/windows-firewall/determining-the-trusted-state-of-your-devices.md
View File

@ -4,9 +4,6 @@ description: Learn how to define the trusted state of devices in your enterprise
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Determining the Trusted State of Your Devices

3
windows/security/threat-protection/windows-firewall/documenting-the-zones.md → windows/security/operating-system-security/network-security/windows-firewall/documenting-the-zones.md
View File

@ -4,9 +4,6 @@ description: Learn how to document the zone placement of devices in your design
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Documenting the Zones

3
windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md → windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design-example.md
View File

@ -4,9 +4,6 @@ description: This example uses a fictitious company to illustrate domain isolati
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Domain Isolation Policy Design Example

3
windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md → windows/security/operating-system-security/network-security/windows-firewall/domain-isolation-policy-design.md
View File

@ -4,9 +4,6 @@ description: Learn how to design a domain isolation policy, based on which devic
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Domain Isolation Policy Design

3
windows/security/threat-protection/windows-firewall/enable-predefined-inbound-rules.md → windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-inbound-rules.md
View File

@ -4,9 +4,6 @@ description: Learn the rules for Windows Defender Firewall with Advanced Securit
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Enable Predefined Inbound Rules

3
windows/security/threat-protection/windows-firewall/enable-predefined-outbound-rules.md → windows/security/operating-system-security/network-security/windows-firewall/enable-predefined-outbound-rules.md
View File

@ -4,9 +4,6 @@ description: Learn to deploy predefined firewall rules that block outbound netwo
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/07/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Enable Predefined Outbound Rules

3
windows/security/threat-protection/windows-firewall/encryption-zone-gpos.md → windows/security/operating-system-security/network-security/windows-firewall/encryption-zone-gpos.md
View File

@ -4,9 +4,6 @@ description: Learn how to add a device to an encryption zone by adding the devic
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/08/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Encryption Zone GPOs

3
windows/security/threat-protection/windows-firewall/encryption-zone.md → windows/security/operating-system-security/network-security/windows-firewall/encryption-zone.md
View File

@ -4,9 +4,6 @@ description: Learn how to create an encryption zone to contain devices that host
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/08/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Encryption Zone

3
windows/security/threat-protection/windows-firewall/exempt-icmp-from-authentication.md → windows/security/operating-system-security/network-security/windows-firewall/exempt-icmp-from-authentication.md
View File

@ -4,9 +4,6 @@ description: Learn how to add exemptions for any network traffic that uses the I
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/08/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Exempt ICMP from Authentication

3
windows/security/threat-protection/windows-firewall/exemption-list.md → windows/security/operating-system-security/network-security/windows-firewall/exemption-list.md
View File

@ -4,9 +4,6 @@ description: Learn about reasons to add devices to an exemption list in Windows
ms.prod: windows-client
ms.topic: conceptual
ms.date: 09/08/2021
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10 and later</a>
- ✅ <a href="https://learn.microsoft.com/windows/release-health/windows-server-release-info" target="_blank">Windows Server 2016 and later</a>
---
# Exemption List

Some files were not shown because too many files have changed in this diff Show More