From 8acf5994725441506f024dc89773edb32bd39547 Mon Sep 17 00:00:00 2001 From: danhwang1 <40180973+danhwang1@users.noreply.github.com> Date: Mon, 11 Jun 2018 11:45:40 -0700 Subject: [PATCH 01/16] Update supl-ddf-file.md We have recently made a change in our Location Platform pertaining to SUPL to increase the max number of root certificates from 3 to 6 (as mandated). As a result, we will need to update the necessary public documentation here: https://docs.microsoft.com/en-us/windows/client-management/mdm/supl-ddf-file --- .../client-management/mdm/supl-ddf-file.md | 198 +++++++++++++++++- 1 file changed, 197 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index e6ed98d713..4ee4e4ad1d 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -171,7 +171,7 @@ The XML below is the current version for this CSP. - MCCMNPairs + MCCMNCPairs @@ -482,6 +482,201 @@ The XML below is the current version for this CSP. + + RootCertificate4 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate5 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + + + RootCertificate6 + + + + + Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. + + + + + + + + + + + + + + + Name + + + + + + Specifies the name of the H-SLP root certificate as a string, in the format name.cer. + + + + + + + + + + + text/plain + + + + + Data + + + + + + The base 64 encoded blob of the H-SLP root certificate. + + + + + + + + + + + + + + + V2UPL1 @@ -662,6 +857,7 @@ The XML below is the current version for this CSP. + ```   From 691fcc8adcef630ede24ab5336814e0586e0a4ba Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 12 Jun 2018 10:23:42 -0700 Subject: [PATCH 02/16] first pass fixing links to dead OMS marketing page --- .../update/device-health-get-started.md | 13 ++++++++----- .../update/update-compliance-get-started.md | 8 ++++++-- .../upgrade/upgrade-readiness-get-started.md | 15 +++++++++------ .../upgrade/upgrade-readiness-requirements.md | 14 +++++++------- 4 files changed, 30 insertions(+), 20 deletions(-) diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md index 81a57be6d4..5b3a7b3474 100644 --- a/windows/deployment/update/device-health-get-started.md +++ b/windows/deployment/update/device-health-get-started.md @@ -5,7 +5,7 @@ keywords: Device Health, oms, operations management suite, prerequisites, requir ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library -ms.date: 03/20/2018 +ms.date: 06/12/2018 ms.pagetype: deploy author: jaimeo ms.author: jaimeo @@ -24,13 +24,16 @@ Steps are provided in sections that follow the recommended setup process: -## Add Device Health to Microsoft Operations Management Suite +## Add Device Health to Microsoft Operations Management Suite or Azure Log Analytics -Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. +**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. Find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. -**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=DeviceHealthProd) to go directly to the Device Health solution and add it to your workspace. + +**If you are not yet using Windows Analytics or Azure Log Analytics**, follow these steps to subscribe: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 6cfecd1c73..9887546277 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -23,12 +23,16 @@ Steps are provided in sections that follow the recommended setup process: -## Add Update Compliance to Microsoft Operations Management Suite +## Add Update Compliance to Microsoft Operations Management Suite or Azure Log Analytics -Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Update Compliance is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace. + + If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: 1. Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**. diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index e80d01d273..3ee8a1a528 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: deploy author: jaimeo ms.author: jaimeo -ms.date: 03/20/2018 +ms.date: 06/12/2018 ms.localizationpriority: high --- @@ -35,7 +35,7 @@ When you are ready to begin using Upgrade Readiness, perform the following steps To enable system, application, and driver data to be shared with Microsoft, you must configure user computers to send data. For information about what diagnostic data Microsoft collects and how that data is used and protected by Microsoft, see the following topics, refer to [Frequently asked questions and troubleshooting Windows Analytics](https://docs.microsoft.com/windows/deployment/update/windows-analytics-FAQ-troubleshooting), which discusses the issues and provides links to still more detailed information. -## Add Upgrade Readiness to Operations Management Suite +## Add Upgrade Readiness to Operations Management Suite or Azure Log Analytics Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing your on-premises and cloud environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/documentation/articles/operations-management-suite-overview/). @@ -44,11 +44,14 @@ Upgrade Readiness is offered as a solution in the Microsoft Operations Managemen If you are already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Select the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution's details page. Upgrade Readiness is now visible in your workspace. While you have this dialog open, you should also consider adding the [Device Health](../update/device-health-monitor.md) and [Update Compliance](../update/update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions. -If you are not using OMS: +>[!NOTE] +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=CompatibilityAssessment) to go directly to the Upgrade Readiness solution and add it to your workspace. -1. Go to the [Upgrade Readiness page on Microsoft.com](https://go.microsoft.com/fwlink/?LinkID=799190&clcid=0x409) and select **New Customers >** to start the process. -2. Sign in to Operations Management Suite (OMS). You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. -3. Create a new OMS workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. +If you are not using OMS or Azure Log Analytics: + +1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. +2. Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. 4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. > If your organization does not have an Azure subscription, create a new one or select the default OMS Azure subscription from the list. Your workspace opens. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 21dfb741d1..538d13cb2a 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -5,7 +5,7 @@ keywords: windows analytics, oms, operations management suite, prerequisites, re ms.prod: w10 author: jaimeo ms.author: -ms.date: 03/15/2018 +ms.date: 06/12/2018 ms.localizationpriority: high --- @@ -32,19 +32,19 @@ See [Windows 10 Specifications](http://www.microsoft.com/en-US/windows/windows-1 ### Windows 10 Keeping Windows 10 up to date involves deploying a feature update, and Upgrade Readiness tools help you prepare and plan for these Windows updates. -The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). +The latest cumulative updates must be installed on Windows 10 computers to make sure that the required compatibility updates are installed. You can find the latest cumulative update on the [Microsoft Update Catalog](https://catalog.update.microsoft.com). While Upgrade Readiness can be used to assist with updating devices from Windows 10 Long-Term Servicing Channel (LTSC) to Windows 10 Semi-Annual Channel, Upgrade Readiness does not support updates to Windows 10 LTSC. The Long-Term Servicing Channel of Windows 10 is not intended for general deployment, and does not receive feature updates, therefore it is not a supported target with Upgrade Readiness. See [Windows as a service overview](../update/waas-overview.md#long-term-servicing-channel) to understand more about LTSC. -## Operations Management Suite +## Operations Management Suite or Azure Log Analytics -Upgrade Readiness is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). +Upgrade Readiness is offered as a solution in Microsoft Operations Management Suite (OMS) and Azure Log Analytics, a collection of cloud based services for managing on premise and cloud computing environments. For more information about OMS, see [Operations Management Suite overview](http://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/) or the Azure [Log Analytics overview](https://azure.microsoft.com/services/log-analytics/). -If you’re already using OMS, you’ll find Upgrade Readiness in the Solutions Gallery. Click the Upgrade Readiness tile in the gallery and then click Add on the solution’s details page. Upgrade Readiness is now visible in your workspace. +If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Readiness in the Solutions Gallery. Click the **Upgrade Readiness** tile in the gallery and then click **Add** on the solution’s details page. Upgrade Readiness is now visible in your workspace. You can also -If you are not using OMS, go to the [Upgrade Readiness page](https://www.microsoft.com/en-us/windowsforbusiness/simplified-updates) on Microsoft.com and select **Sign up** to kick off the OMS onboarding process. During the onboarding process, you’ll create an OMS workspace and add the Upgrade Readiness solution to it. +If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -Important: You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration From 26a9473445983b5435f5f1ff17a105b4f4a6b8da Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Tue, 12 Jun 2018 13:03:25 -0700 Subject: [PATCH 03/16] added new topic for isg --- .../TOC.md | 1 + ...control-with-intelligent-security-graph.md | 142 ++++++++++++++++++ 2 files changed, 143 insertions(+) create mode 100644 windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md index 4bf7c5ff89..1d9c033045 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.md +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md @@ -18,6 +18,7 @@ ### [Merge WDAC policies](merge-windows-defender-application-control-policies.md) ### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md) ### [Deploy WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md) +### [Deploy WDAC with Intelligent Security Graph (ISG)](use-windows-defender-application-control-with-intelligent-security-graph.md) ### [Deploy WDAC policies using Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md) ### [Deploy WDAC policies using Intune](deploy-windows-defender-application-control-policies-using-intune.md) ### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md new file mode 100644 index 0000000000..57f5838a42 --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -0,0 +1,142 @@ +--- +title: Deploy Windows Defender Application Control with Intelligent Security Graph (ISG) (Windows 10) +description: Automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. +ms.prod: w10 +ms.mktglfcycl: deploy +ms.localizationpriority: high +author: mdsakibMSFT +ms.date: 03/01/2018 +--- + +# Use Windows Defender Application Control (WDAC) with the Microsoft Intelligent Security Graph + +**Applies to:** + +- Windows 10 +- Windows Server 2016 + + +```code + + + + + + + + + + + + + + + + + + + + + + + +``` + +## Enable service enforcement in AppLocker policy + +Since many installation processes rely on services, it is typically necessary to enable tracking of services. +Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. +For example: + +```code + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +``` + +### Enable the managed installer option in WDAC policy + +In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. +This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). +An example of the managed installer option being set in policy is shown below. + +```code + + + + + + + + + + + + + + + + + +``` + +## Security considerations with managed installer + +Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. +It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. + +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. +If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. +Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. +To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. + +## Known limitations with managed installer + +- Application execution control based on managed installer does not support applications that self-update. +If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. +Enterprises should deploy and install all application updates using the managed installer. +In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. +Proper review for functionality and security should be performed for the application before using this method. + +- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. +Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. + +- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. + +- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. +In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. +Proper review for functionality and security should be performed for the application before using this method. + +- The managed installer heuristic does not authorize drivers. +The WDAC policy must have rules that allow the necessary drivers to run. + +- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. +Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. +Review for functionality and performance for the related applications using the native images maybe necessary in some cases. From 1b3717b4e850e9916028733b3cf8cd0f2e666b80 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Tue, 12 Jun 2018 13:27:24 -0700 Subject: [PATCH 04/16] fixing some typos --- windows/deployment/update/update-compliance-get-started.md | 2 +- windows/deployment/upgrade/upgrade-readiness-get-started.md | 2 +- windows/deployment/upgrade/upgrade-readiness-requirements.md | 5 +++-- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/deployment/update/update-compliance-get-started.md b/windows/deployment/update/update-compliance-get-started.md index 9887546277..9d1b01ce0f 100644 --- a/windows/deployment/update/update-compliance-get-started.md +++ b/windows/deployment/update/update-compliance-get-started.md @@ -30,7 +30,7 @@ Update Compliance is offered as a solution in the Microsoft Operations Managemen If you are already using OMS, skip to step **6** to add Update Compliance to your workspace. >[!NOTE] ->If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Device Health solution and add it to your workspace. +>If you are already using OMS, you can also follow [this link](https://portal.mms.microsoft.com/#Workspace/ipgallery/details/details/index?IPId=WaaSUpdateInsights) to go directly to the Update Compliance solution and add it to your workspace. If you are not yet using OMS, use the following steps to subscribe to OMS Update Compliance: diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md index 3ee8a1a528..2972c0ff9c 100644 --- a/windows/deployment/upgrade/upgrade-readiness-get-started.md +++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md @@ -50,7 +50,7 @@ If you are already using OMS, you’ll find Upgrade Readiness in the Solutions G If you are not using OMS or Azure Log Analytics: 1. Go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. -2. Sign in to Operations Management Suite (OMS or Azure Log Analytics You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. +2. Sign in to Operations Management Suite (OMS) or Azure Log Analytics. You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory (Azure AD), use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. 3. Create a new workspace. Enter a name for the workspace, select the workspace region, and provide the email address that you want associated with this workspace. Select **Create**. 4. If your organization already has an Azure subscription, you can link it to your workspace. Note that you may need to request access from your organization’s Azure administrator. diff --git a/windows/deployment/upgrade/upgrade-readiness-requirements.md b/windows/deployment/upgrade/upgrade-readiness-requirements.md index 538d13cb2a..7695e28a28 100644 --- a/windows/deployment/upgrade/upgrade-readiness-requirements.md +++ b/windows/deployment/upgrade/upgrade-readiness-requirements.md @@ -21,7 +21,7 @@ To perform an in-place upgrade, user computers must be running the latest versio The compatibility update that sends diagnostic data from user computers to Microsoft data centers works with Windows 7 SP1 and Windows 8.1 only. Upgrade Readiness cannot evaluate Windows XP or Windows Vista for upgrade eligibility. - + If you need to update user computers to Windows 7 SP1 or Windows 8.1, use Windows Update or download and deploy the applicable package from the Microsoft Download Center. @@ -44,7 +44,8 @@ If you’re already using OMS or Azure Log Analytics, you’ll find Upgrade Read If you are not using OMS or Azure Log Analytics, go to [Log Analytics](https://azure.microsoft.com/services/log-analytics/) on Microsoft.com and select **Start free** to start the setup process. During the process, you’ll create a workspace and add the Upgrade Readiness solution to it. ->[!IMPORTANT] You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work >or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. +>[!IMPORTANT] +>You can use either a Microsoft Account or a Work or School account to create a workspace. If your company is already using Azure Active Directory, use a Work or School account when you sign in to OMS. Using a Work or School account allows you to use identities from your Azure AD to manage permissions in OMS. You also need an Azure subscription to link to your OMS workspace. The account you used to create the workspace must have administrator permissions on the Azure subscription in order to link the workspace to the Azure account. Once the link has been established, you can revoke the administrator permissions. ## System Center Configuration Manager integration From 99c0736647e9edddff7cbc6cfaec77009de4bbaa Mon Sep 17 00:00:00 2001 From: Martin Adler <1208749+EagleIJoe@users.noreply.github.com> Date: Wed, 13 Jun 2018 12:51:37 +0200 Subject: [PATCH 05/16] Corrected examples XML syntax Upper case boolean values caused parser error Ending XML closing tag invalidates file --- .../app-v/appv-auto-batch-updating.md | 92 +++++++++---------- 1 file changed, 45 insertions(+), 47 deletions(-) diff --git a/windows/application-management/app-v/appv-auto-batch-updating.md b/windows/application-management/app-v/appv-auto-batch-updating.md index 1d96b18fb8..ff99b0273a 100644 --- a/windows/application-management/app-v/appv-auto-batch-updating.md +++ b/windows/application-management/app-v/appv-auto-batch-updating.md @@ -41,29 +41,28 @@ Updating multiple apps at the same time requires that you create a **ConfigFile* **Example:** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - True - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - True - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + true + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + true + true + + ``` 3. Save your completed file under the name **ConfigFile**. @@ -101,29 +100,28 @@ Updating multipe apps at the same time requires that you create a **ConfigFile** ```XML - - - Skype for Windows Update - D:\Install\Update\SkypeforWindows - SkypeSetup.exe - /S - C:\App-V_Package\Microsoft_Apps\skypeupdate.appv - 20 - False - True - - - Microsoft Power BI Update - D:\Install\Update\PowerBI - PBIDesktop.msi - /S - C:\App-V_Package\MS_Apps\powerbiupdate.appv - 20 - False - True - - - + + + Skype for Windows Update + D:\Install\Update\SkypeforWindows + SkypeSetup.exe + /S + C:\App-V_Package\Microsoft_Apps\skypeupdate.appv + 20 + false + true + + + Microsoft Power BI Update + D:\Install\Update\PowerBI + PBIDesktop.msi + /S + C:\App-V_Package\MS_Apps\powerbiupdate.appv + 20 + false + true + + ``` ### Start the App-V Sequencer interface and app installation process @@ -157,4 +155,4 @@ There are three types of log files that occur when you sequence multiple apps at ## Have a suggestion for App-V? -Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). \ No newline at end of file +Add or vote on suggestions on the [Application Virtualization feedback site](https://appv.uservoice.com/forums/280448-microsoft-application-virtualization). From 18f3d7f9b13a10de950050a888ccd3deb47c0780 Mon Sep 17 00:00:00 2001 From: Christopher McClister Date: Wed, 13 Jun 2018 08:26:54 -0700 Subject: [PATCH 06/16] Added ms.collection meta data to Education hub per Lauren Moynihan --- education/index.md | 1 + 1 file changed, 1 insertion(+) diff --git a/education/index.md b/education/index.md index 424b52680d..c78b456b9e 100644 --- a/education/index.md +++ b/education/index.md @@ -6,6 +6,7 @@ description: Learn about product documentation and resources available for schoo author: CelesteDG ms.topic: hub-page ms.author: celested +ms.collection: ITAdminEDU ms.date: 10/30/2017 ---
From 436fe714e3178bc5f9be0c3b65482a4cacdac780 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 09:56:48 -0700 Subject: [PATCH 07/16] added bold to code snippet --- ...control-with-intelligent-security-graph.md | 151 ++++++------------ 1 file changed, 53 insertions(+), 98 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 57f5838a42..c5c738cc8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -15,11 +15,39 @@ ms.date: 03/01/2018 - Windows 10 - Windows Server 2016 +Application execution control can be difficult to implement in enterprises that do not have processes to effectively control the deployment of applications centrally through an IT managed system. +In such environments, users are empowered to acquire the applications they need for work, making accounting for all the applications that would need to be authorized for execution control a daunting task. -```code +Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) provides a new option, known as Intelligent Security Graph (ISG) authorization, that allows IT administrators to automatically authorize applications that Microsoft’s ISG recognizes as having known good reputation. The ISG option helps IT organizations take a significant first step towards going from having no application control at all to a simple means of preventing the execution of unknown and known bad software. + +## How does the integration between WDAC and the Intelligent Security Graph work? + +The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision. + +After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. + +The reputation data on the client is rechecked periodically and enterprises can also specify that any cached reputation results are flushed on reboot. + +>[!NOTE] +>Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be classified as being known good by the Intelligent Security Graph, for example custom line-of-business (LOB) apps. Since the Intelligent Security Graph is powered by global prevalence data, internal LOB apps may not be recognized as being known good. Other mechanisms like managed installer and explicit rules will help cover internal applications. Both System Center Configuration Manager (SCCM) and Microsoft Intune can be used to create and push a WDAC policy to your client machines. + +Other examples of WDAC policies are available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies and can help authorize Windows OS components, WHQL signed drivers and all Store apps. Admins can reference and customize them as needed for their Windows Defender Application Control deployment or [create a custom WDAC policy](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy). + +## Configuring Intelligent Security Graph authorization for Windows Defender Application Control + +Setting up the ISG authorization is easy regardless of what management solution you use. Configuring the ISG option involves these basic steps: + +- [Ensure that the ISG option is enabled in the WDAC policy XML](#ensure-that-the-intelligent-security-graph-option-is-enabled-in-the-wdac-policy-xml) +- [Enable the necessary services to allow WDAC to use the ISG correctly on the client](#enable-the-necessary-services-to-allow-wdac-to-use-the-isg-correctly-on-the-client) + +### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML + +In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. + +
  
      
-       
+       
      
      
        
@@ -27,12 +55,12 @@ ms.date: 03/01/2018
      
        
      
-     
-       
-     
-     
-       
-     
+     
+       
+     
+     
+       
+     
      
        
      
@@ -40,103 +68,30 @@ ms.date: 03/01/2018
        
      
  
+
+ +### Enable the necessary services to allow WDAC to use the ISG correctly on the client + +In order for the heuristics used by the ISG to function properly, a number of component in Windows need to be enabled. The easiest way to do this is to run the appidtel executable in c:\windows\system32. + +``` +appidtel start ``` -## Enable service enforcement in AppLocker policy +For WDAC policies deployed over MDM using the AppLocker CSP this step is not required as the CSP will enable the necessary components. ISG enabled through the SCCM WDAC UX will not need this step but if custom policies are being deployed outside of the WDAC UX through SCCM then this step is required. -Since many installation processes rely on services, it is typically necessary to enable tracking of services. -Correct tracking of services requires the presence of at least one rule in the rule collection – a simple audit only rule will suffice. -For example: +## Security considerations with using the Intelligent Security Graph -```code - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -``` +Since the ISG is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. It is best suited for deployment to systems where each user is configured as a standard user and there are other monitoring systems in place like Windows Defender Advanced Threat Protection to help provide optics into what users are doing. -### Enable the managed installer option in WDAC policy +Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of WDAC when the ISG option is allowed by circumventing or corrupting the heuristics used to assign reputation to application executables. The ISG option uses the same heuristic tracking as managed installer and so for application installers that include an option to automatically run the application at the end of the installation process the heuristic may over-authorize. -In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). -An example of the managed installer option being set in policy is shown below. +## Known limitations with using the Intelligent Security Graph -```code - - - - - - - - - - - - - - - - - -``` +Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. -## Security considerations with managed installer +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy. -Since managed installer is a heuristic-based mechanism, it does not provide the same security guarantees that explicit allow or deny rules do. -It is best suited for deployment to systems where each user is configured as a standard user and where all software is deployed and installed by a software distribution solution, such as System Center Configuration Manager. +The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. -Users with administrator privileges or malware running as an administrator user on the system may be able to circumvent the intent of Windows Defender Application Control when the managed installer option is allowed. -If the authorized managed installer process performs installations in the context of a user with standard privileges, then it is possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers include an option to automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization may continue to apply to all files created during the first run of the application. This could result in over-authorization for executables that were not intended. -To avoid this, ensure that the application deployment solution being used as a managed installer limits running applications as part of installation. - -## Known limitations with managed installer - -- Application execution control based on managed installer does not support applications that self-update. -If an application deployed by a managed installer subsequently updates itself, the updated application files will no longer include the managed installer origin information and will not be authorized to run. -Enterprises should deploy and install all application updates using the managed installer. -In some cases, it may be possible to also designate an application binary that performs the self-updates as a managed installer. -Proper review for functionality and security should be performed for the application before using this method. - -- Although WDAC policies can be deployed in both audit and enforced mode, the managed installer option is currently only recommended for use with policies set to enforced except in lab environments. -Using the managed installer option with WDAC policies set to audit only may result in unexpected behavior if the policy is subsequently changed to enforced mode. - -- Modern apps deployed through a managed installer will not be tracked by the managed installer heuristic and will need to be separately authorized in your WDAC policy. - -- Executables that extract files and then attempt to execute may not be allowed by the managed installer heuristic. -In some cases, it may be possible to also designate an application binary that performs such an operation as a managed installer. -Proper review for functionality and security should be performed for the application before using this method. - -- The managed installer heuristic does not authorize drivers. -The WDAC policy must have rules that allow the necessary drivers to run. - -- In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. -Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. -Review for functionality and performance for the related applications using the native images maybe necessary in some cases. +In some cases, the code integrity logs where WDAC errors and warnings are written will contain error events for native images generated for .NET assemblies. Typically, the error is functionally benign as a blocked native image will result in the corresponding assembly being re-interpreted. Review for functionality and performance for the related applications using the native images maybe necessary in some cases. \ No newline at end of file From a33af7a063e817c9dd78174e6b196fd2c63e774d Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 13 Jun 2018 13:32:24 -0700 Subject: [PATCH 08/16] Corrected ASR rule functions. --- .../attack-surface-reduction-exploit-guard.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4085972ad5..ef39fda490 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/12/2018 +ms.date: 06/13/2018 --- @@ -174,7 +174,6 @@ This rule attempts to block Office files that contain macro code that is capable This rule blocks the following file types from being run or launched unless they meet prevalence or age criteria set by admins, or they are in a trusted list or exclusion list: - Executable files (such as .exe, .dll, or .scr) -- Script files (such as a PowerShell .ps, VisualBasic .vbs, or JavaScript .js file) ### Rule: Use advanced protection against ransomware From e7903a90bbcc957f988d2d36f2e6274084f47ae4 Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 13:52:18 -0700 Subject: [PATCH 09/16] fixed formatting --- ...control-with-intelligent-security-graph.md | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index c5c738cc8e..f5dfca7d37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -22,7 +22,7 @@ Windows 10, version 1709 (also known as the Windows 10 Fall Creators Update) pro ## How does the integration between WDAC and the Intelligent Security Graph work? -The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed the reputation data is used to help make the right policy authorization decision. +The ISG relies on Microsoft’s vast security intelligence and machine learning analytics to help classify applications as having known good reputation. When users download applications on a system with WDAC enabled with the ISG authorization option specified, the reputation of the downloaded file, commonly an installer, is used to determine whether to run the installer and then that original reputation information is passed along to any files that were written by the installer. When any of these files try to execute after they are installed, the reputation data is used to help make the right policy authorization decision. After that initial download and installation, the WDAC component will check for the presence of the positive reputation information when evaluating other application execution control rules specified in the policy. If there are no deny rules present for the file, it will be authorized based on the known good reputation classification. @@ -42,9 +42,9 @@ Setting up the ISG authorization is easy regardless of what management solution ### Ensure that the Intelligent Security Graph option is enabled in the WDAC policy XML -In order to enable trust for executables based on classifications in the ISG, the Enabled: Intelligent Security Graph authorization option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition it is recommended from a security perspective to also enable the Enabled:Invalidate EAs on Reboot option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. An example of both options being set is shown below. +In order to enable trust for executables based on classifications in the ISG, the **Enabled: Intelligent Security Graph authorization** option must be specified in the WDAC policy. This can be done with the Set-RuleOption cmdlet. In addition, it is recommended from a security perspective to also enable the **Enabled:Invalidate EAs on Reboot** option to invalidate the cached ISG results on reboot to force rechecking of applications against the ISG. Caution is advised if devices will regularly transition to and from environments that may not be able to access the ISG. The following example shows both options being set. -
+```code
  
      
        
@@ -55,12 +55,12 @@ In order to enable trust for executables based on classifications in the ISG, th
      
        
      
-     
-       
-     
-     
-       
-     
+    
+      
+    
+    
+       
+    
      
        
      
@@ -68,7 +68,7 @@ In order to enable trust for executables based on classifications in the ISG, th
        
      
  
-
+``` ### Enable the necessary services to allow WDAC to use the ISG correctly on the client @@ -88,9 +88,9 @@ Users with administrator privileges or malware running as an administrator user ## Known limitations with using the Intelligent Security Graph -Since the ISG relies on identifying executables as being known good there are cases where it may classify legitimate executables as unknown leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in WDAC policy or by deployment through a WDAC managed installer. Typically this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. +Since the ISG relies on identifying executables as being known good, there are cases where it may classify legitimate executables as unknown, leading to blocks that need to be resolved either with a rule in the WDAC policy, a catalog signed by a certificate trusted in the WDAC policy or by deployment through a WDAC managed installer. Typically, this is due to an installer or application using a dynamic file as part of execution. These files do not tend to build up known good reputation. Auto-updating applications have also been observed using this mechanism and may be flagged by the ISG. -Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business it is straightforward to authorize modern apps with signer rules in the WDAC policy. +Modern apps are not supported with the ISG heuristic and will need to be separately authorized in your WDAC policy. As modern apps are signed by the Microsoft Store and Microsoft Store for Business. it is straightforward to authorize modern apps with signer rules in the WDAC policy. The ISG heuristic does not authorize kernel mode drivers. The WDAC policy must have rules that allow the necessary drivers to run. From a84f2885449ccb019c65048e9c19d06cf8b925ca Mon Sep 17 00:00:00 2001 From: Justin Hall Date: Wed, 13 Jun 2018 13:56:08 -0700 Subject: [PATCH 10/16] fixed formatting --- ...ndows-defender-application-control-with-managed-installer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md index efb071bcb1..badaf77f39 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md @@ -6,7 +6,7 @@ ms.prod: w10 ms.mktglfcycl: deploy ms.localizationpriority: high author: mdsakibMSFT -ms.date: 03/01/2018 +ms.date: 06/13/2018 --- # Deploy Managed Installer for Windows Defender Application Control From 1650ac230c4b901630c9680ebb31c309a2e57356 Mon Sep 17 00:00:00 2001 From: "Andrea Bichsel (Aquent LLC)" Date: Wed, 13 Jun 2018 14:01:22 -0700 Subject: [PATCH 11/16] Incorp review --- .../attack-surface-reduction-exploit-guard.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md index 4085972ad5..c1ad13b4dd 100644 --- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md +++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md @@ -11,7 +11,7 @@ ms.pagetype: security localizationpriority: medium author: andreabichsel ms.author: v-anbic -ms.date: 06/12/2018 +ms.date: 06/13/2018 --- @@ -187,6 +187,9 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i >[!IMPORTANT] >[Exclusions do not apply to this rule](customize-attack-surface-reduction.md#exclude-files-and-folders). + >[!NOTE] + >Some apps are coded to enumerate all running processes and to attempt opening them with exhaustive permissions. This results in the app accessing LSASS even when it's not necessary. ASR will deny the app's process open action and log the details to the security event log. Entry in the event log for access denial by itself is not an indication of the presence of a malicious threat. + ### Rule: Block process creations originating from PSExec and WMI commands This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks. From facc92390c2c008d60e772efc1edc7fe874b90ec Mon Sep 17 00:00:00 2001 From: Zane <34351912+zburtondbrs@users.noreply.github.com> Date: Wed, 13 Jun 2018 16:02:17 -0500 Subject: [PATCH 12/16] Update set-the-default-browser-using-group-policy.md The KB does not specify that this is a computer policy. Since there is not an equivalent user policy, I think that this should be explicitly stated. --- .../set-the-default-browser-using-group-policy.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md index 899c3da6e3..900f6cbb17 100644 --- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md +++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md @@ -17,7 +17,7 @@ You can use the Group Policy setting, **Set a default associations configuration **To set the default browser as Internet Explorer 11** -1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

+1. Open your Group Policy editor and go to the **Computer Configuration\\Policies\\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.

Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268). ![set default associations group policy setting](images/setdefaultbrowsergp.png) From 3f87dc491dbdba52acb699e5b5c0926809cefd10 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 13 Jun 2018 14:02:51 -0700 Subject: [PATCH 13/16] minor updates --- ...privacy-windows-defender-advanced-threat-protection.md | 6 +++--- ...censing-windows-defender-advanced-threat-protection.md | 2 +- ...rements-windows-defender-advanced-threat-protection.md | 6 +++--- ...ot-siem-windows-defender-advanced-threat-protection.md | 8 ++++---- 4 files changed, 11 insertions(+), 11 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 7a7abff824..1f6735881b 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -10,7 +10,7 @@ ms.pagetype: security ms.author: macapara author: mjcaparas ms.localizationpriority: high -ms.date: 03/06/2018 +ms.date: 06/13/2018 --- # Windows Defender ATP data storage and privacy @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Microsoft will collect and store information from your configured machines in a database specific to the service for administration, tracking, and reporting purposes. +Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). @@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik ## Do I have the flexibility to select where to store my data? -When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. +When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States. ## Is my data isolated from other customer data? Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides. diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md index e64acc561c..30c94ffd40 100644 --- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md @@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows. You will need to set up your preferences for the Windows Defender ATP portal. -3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. +3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the European Union, the United Kingdom, or the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation. > [!WARNING] > This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process. diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md index c4a8127477..bd53b3a21d 100644 --- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md @@ -36,14 +36,14 @@ For more information, see [Windows 10 Enterprise edition](https://www.microsoft. ### Licensing requirements Windows Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers: -- Windows 10 Enterprise E5 -- Windows 10 Education E5 +- Windows 10 Enterprise E5 +- Windows 10 Education E5 - Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5 For more information, see [Windows 10 Licensing](https://www.microsoft.com/en-us/Licensing/product-licensing/windows10.aspx#tab=2). ### Network and data storage and configuration requirements -When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the United Kingdom, Europe, or United States datacenter. +When you run the onboarding wizard for the first time, you must choose where your Windows Defender Advanced Threat Protection-related information is stored: in the European Union, the United Kingdom, or the United States datacenter. > [!NOTE] > - You cannot change your data storage location after the first-time setup. diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md index ba867a62e4..eb4b206317 100644 --- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md @@ -63,10 +63,10 @@ If you encounter an error when trying to get a refresh token when using the thre - For Threat intelligence API: `https://WindowsDefenderATPCustomerTiConnector` 5. Add the following URL: - - For US: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. - - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` - - For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` - + - For the European Union: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback` + - For the United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback` + - For the United States: `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`. + 6. Click **Save**. >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-troubleshootsiem-belowfoldlink) From 71d2e1e786e30009f3965a6be272a1a3b8300ad6 Mon Sep 17 00:00:00 2001 From: Joey Caparas Date: Wed, 13 Jun 2018 14:17:05 -0700 Subject: [PATCH 14/16] typo --- ...orage-privacy-windows-defender-advanced-threat-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md index 1f6735881b..872a54ee9b 100644 --- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md @@ -27,7 +27,7 @@ This section covers some of the most frequently asked questions regarding privac ## What data does Windows Defender ATP collect? -Windows Defender ATP will collect and store information from your configured machines in a customer dedicate and segregated tenant specific to the service for administration, tracking, and reporting purposes. +Windows Defender ATP will collect and store information from your configured machines in a customer dedicated and segregated tenant specific to the service for administration, tracking, and reporting purposes. Information collected includes file data (such as file names, sizes, and hashes), process data (running processes, hashes), registry data, network connection data (host IPs and ports), and machine details (such as machine identifiers, names, and the operating system version). From 3d417b579cb5b4eb36bb5138848946614ce23637 Mon Sep 17 00:00:00 2001 From: Patti Short <35278231+shortpatti@users.noreply.github.com> Date: Wed, 13 Jun 2018 14:24:29 -0700 Subject: [PATCH 15/16] Revert "Update supl-ddf-file.md" --- .../client-management/mdm/supl-ddf-file.md | 198 +----------------- 1 file changed, 1 insertion(+), 197 deletions(-) diff --git a/windows/client-management/mdm/supl-ddf-file.md b/windows/client-management/mdm/supl-ddf-file.md index 4ee4e4ad1d..e6ed98d713 100644 --- a/windows/client-management/mdm/supl-ddf-file.md +++ b/windows/client-management/mdm/supl-ddf-file.md @@ -171,7 +171,7 @@ The XML below is the current version for this CSP. - MCCMNCPairs + MCCMNPairs @@ -482,201 +482,6 @@ The XML below is the current version for this CSP. - - RootCertificate4 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate5 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - - - RootCertificate6 - - - - - Required. Specifies the root certificate for the H-SLP server. Windows Phone does not support a non-secure mode. If this node is not included, the configuration service provider will fail but may not return a specific error. - - - - - - - - - - - - - - - Name - - - - - - Specifies the name of the H-SLP root certificate as a string, in the format name.cer. - - - - - - - - - - - text/plain - - - - - Data - - - - - - The base 64 encoded blob of the H-SLP root certificate. - - - - - - - - - - - - - - - V2UPL1 @@ -857,7 +662,6 @@ The XML below is the current version for this CSP. - ```   From 57d57e319c5160365e228cfcea219843476ecf32 Mon Sep 17 00:00:00 2001 From: Luis Masieri <32968351+lmasieri@users.noreply.github.com> Date: Wed, 13 Jun 2018 14:29:15 -0700 Subject: [PATCH 16/16] Update whats-new-microsoft-store-business-education.md --- .../whats-new-microsoft-store-business-education.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md index fc29d300b3..e2988a84c9 100644 --- a/store-for-business/whats-new-microsoft-store-business-education.md +++ b/store-for-business/whats-new-microsoft-store-business-education.md @@ -68,7 +68,7 @@ We’ve been working on bug fixes and performance improvements to provide you a - Bug fixes and performance improvements [October 2017](release-history-microsoft-store-business-education.md#october-2017) -- Bug fixes and permformance improvements +- Bug fixes and performance improvements [September 2017](release-history-microsoft-store-business-education.md#september-2017) - Manage Windows device deployment with Windows Autopilot Deployment