From c17cb0d827ad8ea1e8438f0149d30f196d48c886 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 16 Jun 2022 20:44:51 +0530 Subject: [PATCH 01/77] Acrolinx Enhancement --- .../threat-protection/auditing/event-4913.md | 22 +++++++++---------- .../threat-protection/auditing/event-4928.md | 4 ++-- .../threat-protection/auditing/event-4929.md | 6 ++--- .../threat-protection/auditing/event-4930.md | 8 +++---- .../threat-protection/auditing/event-4931.md | 6 ++--- .../threat-protection/auditing/event-4945.md | 8 +++---- .../threat-protection/auditing/event-4946.md | 12 +++++----- .../threat-protection/auditing/event-4948.md | 12 +++++----- .../threat-protection/auditing/event-4950.md | 4 ++-- .../threat-protection/auditing/event-4951.md | 20 ++++++++--------- 10 files changed, 51 insertions(+), 51 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md index 9c173860f4..dc79e60f50 100644 --- a/windows/security/threat-protection/auditing/event-4913.md +++ b/windows/security/threat-protection/auditing/event-4913.md @@ -77,13 +77,13 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that changed the Central Access Policy on the object. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that changed the Central Access Policy on the object. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -137,7 +137,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ - **Original Security Descriptor** \[Type = UnicodeString\]**:** the Security Descriptor Definition Language (SDDL) value for the old Central Policy ID (for the policy that was formerly applied to the object). - SDDL contains Central Access Policy SID, here is an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name you need to do the following: + SDDL contains Central Access Policy SID, here's an example: S:ARAI(SP;ID;;;;S-1-17-1442530252-1178042555-1247349694-2318402534), Central Access Policy SID here is “**S-1-17-1442530252-1178042555-1247349694-2318402534**”. To resolve this SID to the real Central Access Policy name, you need to do the following steps: 1. Find Central Access Policy Active Directory object in: “CN=Central Access Policies,CN=Claims Configuration,CN=Services,CN=Configuration,DC=XXX,DC=XX” Active Directory container. @@ -166,11 +166,11 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ |-------|--------------------------------------|-------|---------------------------------| | "AO" | Account operators | "PA" | Group Policy administrators | | "RU" | Alias to allow previous Windows 2000 | "IU" | Interactively logged-on user | -| "AN" | Anonymous logon | "LA" | Local administrator | +| "AN" | Anonymous sign in | "LA" | Local administrator | | "AU" | Authenticated users | "LG" | Local guest | | "BA" | Built-in administrators | "LS" | Local service account | | "BG" | Built-in guests | "SY" | Local system | -| "BO" | Backup operators | "NU" | Network logon user | +| "BO" | Backup operators | "NU" | Network sign-in user | | "BU" | Built-in users | "NO" | Network configuration operators | | "CA" | Certificate server administrators | "NS" | Network service account | | "CG" | Creator group | "PO" | Printer operators | @@ -182,7 +182,7 @@ This event always generates, regardless of the object’s [SACL](/windows/win32/ | "DU" | Domain users | "RC" | Restricted code | | "EA" | Enterprise administrators | "SA" | Schema administrators | | "ED" | Enterprise domain controllers | "SO" | Server operators | -| "WD" | Everyone | "SU" | Service logon user | +| "WD" | Everyone | "SU" | Service sign-in user | - *G*: = Primary Group. - *D*: = DACL Entries. @@ -202,7 +202,7 @@ Example: D:(A;;FA;;;WD) "P” - SDDL\_PROTECTED, Inheritance from containers that are higher in the folder hierarchy are blocked. -"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" Is not also set. +"AI" - SDDL\_AUTO\_INHERITED, Inheritance is allowed, assuming that "P" isn't also set. "AR" - SDDL\_AUTO\_INHERIT\_REQ, Child objects inherit permissions from this object. @@ -228,7 +228,7 @@ Example: D:(A;;FA;;;WD) "CI" - CONTAINER INHERIT: Child objects that are containers, such as directories, inherit the ACE as an explicit ACE. -"OI" - OBJECT INHERIT: Child objects that are not containers inherit the ACE as an explicit ACE. +"OI" - OBJECT INHERIT: Child objects that aren't containers inherit the ACE as an explicit ACE. "NP" - NO PROPAGATE: only immediate children inherit this ace. @@ -239,7 +239,7 @@ Example: D:(A;;FA;;;WD) "SA" - SUCCESSFUL ACCESS AUDIT "FA" - FAILED ACCESS AUDIT -- rights: A hexadecimal string which denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. +- rights: A hexadecimal string that denotes the access mask or reserved value, for example: FA (File All Access), FX (File Execute), FW (File Write), etc. | Value | Description | Value | Description | |----------------------------|---------------------------------|----------------------|--------------------------| @@ -261,7 +261,7 @@ Example: D:(A;;FA;;;WD) - object\_guid: N/A - inherit\_object\_guid: N/A -- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. See the table above for more details. +- account\_sid: SID of specific security principal, or reserved value, for example: AN (Anonymous), WD (Everyone), SY (LOCAL\_SYSTEM), etc. For more information, see the table above. For more information about SDDL syntax, see these articles: , . @@ -277,7 +277,7 @@ For 4913(S): Central Access Policy on the object was changed. - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. -- You can monitor to see if “**Process Name**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Process Name**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md index 2899b77a51..64481ef466 100644 --- a/windows/security/threat-protection/auditing/event-4928.md +++ b/windows/security/threat-protection/auditing/event-4928.md @@ -97,12 +97,12 @@ Failure event generates if an error occurs (**Status Code** != 0). Directory Replication Service options in AD Sites and Services -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4928(S, F): An Active Directory replica source naming context was established. -- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of new replication (new DRA) must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md index 8d4802ca42..bd67b19fac 100644 --- a/windows/security/threat-protection/auditing/event-4929.md +++ b/windows/security/threat-protection/auditing/event-4929.md @@ -89,18 +89,18 @@ Failure event generates if an error occurs (**Status Code** != 0). - **Source Address** \[Type = UnicodeString\]: DNS record of the server from which the “remove” request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was removed. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was removed. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4929(S, F): An Active Directory replica source naming context was removed. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md index ad5d6086a1..c63813a961 100644 --- a/windows/security/threat-protection/auditing/event-4930.md +++ b/windows/security/threat-protection/auditing/event-4930.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica source naming context w Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,18 +91,18 @@ It is not possible to understand what exactly was modified from this event. - **Source Address** \[Type = UnicodeString\]: DNS record of computer from which the modification request was received. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations For 4930(S, F): An Active Directory replica source naming context was modified. -- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA you should trigger an event. +- Monitor for **Source Address** field, because the source of the request must be authorized for this action. If you find any unauthorized DRA, you should trigger an event. - This event is typically used for Active Directory replication troubleshooting. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md index 39a7be5a64..46b91b742c 100644 --- a/windows/security/threat-protection/auditing/event-4931.md +++ b/windows/security/threat-protection/auditing/event-4931.md @@ -27,7 +27,7 @@ This event generates every time Active Directory replica destination naming cont Failure event generates if an error occurs (**Status Code** != 0). -It is not possible to understand what exactly was modified from this event. +It isn't possible to understand what exactly was modified from this event. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -91,13 +91,13 @@ It is not possible to understand what exactly was modified from this event. - **Destination Address** \[Type = UnicodeString\]: DNS record of computer to which the modification request was sent. -- **Naming Context** \[Type = UnicodeString\]**:** naming context which was modified. +- **Naming Context** \[Type = UnicodeString\]**:** naming context that was modified. > **Note**  The Directory Tree of Active Directory tree is partitioned to allow sections to be distributed (replicated) to domain controllers in different domains within the forest. Each domain controller stores a copy of a specific part of the directory tree, called a **Naming Context** also known as Directory Partition. **Naming Context** is replicated as a unit to other domain controllers in the forest that contain a replica of the same sub tree. A **Naming Context** is also called a Directory Partition. - **Options** \[Type = UInt32\]: decimal value of [DRS Options](/openspecs/windows_protocols/ms-drsr/ac9c8a11-cd46-4080-acbf-9faa86344030). -- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you will receive Failure event and Status Code will not be equal to “**0**”. You can check error code meaning here: +- **Status Code** \[Type = UInt32\]**:** if there are no issues or errors, the status code will be 0. If an error happened, you'll receive Failure event and Status Code won't be equal to “**0**”. You can check error code meaning here: ## Security Monitoring Recommendations diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md index f5581407ab..cc7ffb2eec 100644 --- a/windows/security/threat-protection/auditing/event-4945.md +++ b/windows/security/threat-protection/auditing/event-4945.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates every time Windows Firewall service starts. -This event shows the inbound and/or outbound rule which was listed when the Windows Firewall started and applied for “Public” profile. +This event shows the inbound and/or outbound rule that was listed when the Windows Firewall started and applied for “Public” profile. This event generates per rule. @@ -75,11 +75,11 @@ This event generates per rule. - **Rule ID** \[Type = UnicodeString\]: the unique firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was listed when the Windows Firewall started. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -89,5 +89,5 @@ For 4945(S): A rule was listed when the Windows Firewall started. - Typically this event has an informational purpose. -- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration is not the same. +- Unfortunately this event shows rules only for **Public** profile, but you still can compare this list with your organization's Windows Firewall baseline for Public profile rules on different computers, and trigger an alert if the configuration isn't the same. diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md index 505cec18fb..5a3a44929a 100644 --- a/windows/security/threat-protection/auditing/event-4946.md +++ b/windows/security/threat-protection/auditing/event-4946.md @@ -71,11 +71,11 @@ This event doesn't generate when new rule was added via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when new rule was added via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique new firewall rule identifier. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was added. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when new rule was added via Group Policy. For 4946(S): A change has been made to Windows Firewall exception list. A rule was added. -- This event can be helpful in case you want to monitor all creations of new Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all creations of new Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md index 65c71e3cd4..ecc34d3112 100644 --- a/windows/security/threat-protection/auditing/event-4948.md +++ b/windows/security/threat-protection/auditing/event-4948.md @@ -71,11 +71,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -87,11 +87,11 @@ This event doesn't generate when the rule was deleted via Group Policy. - **Rule ID** \[Type = UnicodeString\]: the unique identifier for deleted firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Rule Name** \[Type = UnicodeString\]: the name of the rule which was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Rule Name** \[Type = UnicodeString\]: the name of the rule that was deleted. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration @@ -99,5 +99,5 @@ This event doesn't generate when the rule was deleted via Group Policy. For 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted. -- This event can be helpful in case you want to monitor all deletions of Firewall rules which were done locally. +- This event can be helpful in case you want to monitor all deletions of Firewall rules that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md index 69db4a04e2..8c7148eb98 100644 --- a/windows/security/threat-protection/auditing/event-4950.md +++ b/windows/security/threat-protection/auditing/event-4950.md @@ -77,7 +77,7 @@ This event doesn't generate when Windows Firewall setting was changed via Group **New Setting:** -- **Type** \[Type = UnicodeString\]: the name of the setting which was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: +- **Type** \[Type = UnicodeString\]: the name of the setting that was modified. You can use “**netsh advfirewall**” command to see or set Windows Firewall settings, for example, to see settings for current\\active Windows Firewall profile you need to execute “**netsh advfirewall show currentprofile**” command: Netsh advfirewall command illustration @@ -89,5 +89,5 @@ For 4950(S): A Windows Firewall setting has changed. - If you have a standard or baseline for Windows Firewall settings defined, monitor this event and check whether the settings reported by the event are still the same as were defined in your standard or baseline. -- This event can be helpful in case you want to monitor all changes in Windows Firewall settings which were done locally. +- This event can be helpful in case you want to monitor all changes in Windows Firewall settings that were done locally. diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md index 060b9c4b83..6f7ede1970 100644 --- a/windows/security/threat-protection/auditing/event-4951.md +++ b/windows/security/threat-protection/auditing/event-4951.md @@ -1,6 +1,6 @@ --- -title: 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. (Windows 10) -description: Describes security event 4951(F) A rule has been ignored because its major version number was not recognized by Windows Firewall. +title: 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. (Windows 10) +description: Describes security event 4951(F) A rule has been ignored because its major version number wasn't recognized by Windows Firewall. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +# 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. Event 4951 illustration @@ -25,7 +25,7 @@ ms.technology: windows-sec When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions. -If you create a firewall rule on a newer version of Windows that references firewall settings that are not available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it cannot process the rule. +If you create a firewall rule on a newer version of Windows that references firewall settings that aren't available on earlier versions of Windows, and then try to deploy that rule to computers running the earlier version of Windows, the firewall engine produces this error to indicate that it can't process the rule. The only solution is to remove the incompatible rule, and then deploy a compatible rule. @@ -73,11 +73,11 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -89,17 +89,17 @@ The only solution is to remove the incompatible rule, and then deploy a compatib - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that was ignored. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration ## Security Monitoring Recommendations -For 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall. +For 4951(F): A rule has been ignored because its major version number wasn't recognized by Windows Firewall. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. From 5fbd3e07d79ac80f4a6e27a3acfdaa17d7929c04 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 17 Jun 2022 15:46:12 +0530 Subject: [PATCH 02/77] Acrolinx enhancement effort --- .../threat-protection/auditing/event-4953.md | 18 +++++++++--------- .../threat-protection/auditing/event-4957.md | 16 ++++++++-------- .../threat-protection/auditing/event-4958.md | 12 ++++++------ .../threat-protection/auditing/event-5030.md | 4 ++-- .../threat-protection/auditing/event-5031.md | 6 +++--- .../threat-protection/auditing/event-5038.md | 12 ++++++------ .../threat-protection/auditing/event-5039.md | 6 +++--- .../threat-protection/auditing/event-5051.md | 6 +++--- .../threat-protection/auditing/event-5056.md | 4 ++-- .../threat-protection/auditing/event-5057.md | 6 +++--- .../threat-protection/auditing/event-5058.md | 10 +++++----- .../threat-protection/auditing/event-5060.md | 4 ++-- .../threat-protection/auditing/event-5061.md | 10 +++++----- .../threat-protection/auditing/event-5063.md | 6 +++--- .../threat-protection/auditing/event-5064.md | 6 +++--- .../threat-protection/auditing/event-5065.md | 7 +++---- .../threat-protection/auditing/event-5066.md | 6 +++--- .../threat-protection/auditing/event-5067.md | 8 ++++---- .../threat-protection/auditing/event-5068.md | 8 ++++---- .../threat-protection/auditing/event-5069.md | 8 ++++---- 20 files changed, 81 insertions(+), 82 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md index 2d31faae0c..c327d3a349 100644 --- a/windows/security/threat-protection/auditing/event-4953.md +++ b/windows/security/threat-protection/auditing/event-4953.md @@ -1,6 +1,6 @@ --- -title: 4953(F) Windows Firewall ignored a rule because it could not be parsed. (Windows 10) -description: Describes security event 4953(F) Windows Firewall ignored a rule because it could not be parsed. +title: 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. (Windows 10) +description: Describes security event 4953(F) Windows Firewall ignored a rule because it couldn't be parsed. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4953(F): Windows Firewall ignored a rule because it could not be parsed. +# 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. Event 4953 illustration @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates if Windows Firewall was not able to parse Windows Firewall rule for some reason. +This event generates if Windows Firewall wasn't able to parse Windows Firewall rule for some reason. It can happen if Windows Firewall rule registry entry was corrupted. @@ -72,11 +72,11 @@ It can happen if Windows Firewall rule registry entry was corrupted. - All -- Domain,Public +- Domain, Public -- Domain,Private +- Domain, Private -- Private,Public +- Private, Public - Public @@ -90,7 +90,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. - **ID** \[Type = UnicodeString\]: the unique identifier for ignored firewall rule. - To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, navigate to the “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration @@ -100,7 +100,7 @@ It can happen if Windows Firewall rule registry entry was corrupted. ## Security Monitoring Recommendations -For 4953(F): Windows Firewall ignored a rule because it could not be parsed. +For 4953(F): Windows Firewall ignored a rule because it couldn't be parsed. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index b83701e32b..0f2cc44b6b 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -1,6 +1,6 @@ --- -title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) -description: Describes security event 4957(F) Windows Firewall did not apply the following rule. +title: 4957(F) Windows Firewall didn't apply the following rule. (Windows 10) +description: Describes security event 4957(F) Windows Firewall didn't apply the following rule. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4957(F): Windows Firewall did not apply the following rule. +# 4957(F): Windows Firewall didn't apply the following rule. Event 4957 illustration @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when Windows Firewall starts or apply new rule, and the rule cannot be applied for some reason. +This event generates when Windows Firewall starts or apply new rule, and the rule can't be applied for some reason. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -69,21 +69,21 @@ This event generates when Windows Firewall starts or apply new rule, and the rul - **ID** \[Type = UnicodeString\]: the unique identifier for not applied firewall rule. - To see the unique ID of the rule you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you will see the list of Windows Firewall rule IDs (Name column) with parameters: + To see the unique ID of the rule, you need to navigate to “**HKEY\_LOCAL\_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\FirewallRules”** registry key and you'll see the list of Windows Firewall rule IDs (Name column) with parameters: Registry Editor FirewallRules key illustration -- **Name** \[Type = UnicodeString\]: the name of the rule which was not applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: +- **Name** \[Type = UnicodeString\]: the name of the rule that wasn't applied. You can see the name of Windows Firewall rule using Windows Firewall with Advanced Security management console (**wf.msc**), check “Name” column: Windows Firewall with Advanced Security illustration **Error Information:** -- **Reason** \[Type = UnicodeString\]: the reason why the rule was not applied. +- **Reason** \[Type = UnicodeString\]: the reason why the rule wasn't applied. ## Security Monitoring Recommendations -For 4957(F): Windows Firewall did not apply the following rule. +For 4957(F): Windows Firewall didn't apply the following rule. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 3fc2c85a83..5e6f8b57f9 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -1,6 +1,6 @@ --- -title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) -description: Describes security event 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. +title: 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. (Windows 10) +description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,18 +14,18 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. +# 4958(F): Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. -Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied. +Windows Firewall with Advanced Security processed a rule that contains parameters that can't be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This exclusion isn't necessarily an error. Examine the rule for applicability on the computers to which it was applied. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md) ***Event Schema:*** -*Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer: +*Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer: Rule Information: %tID:%t%1 %tName:%t%2 diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md index 9216275f2d..86502afb98 100644 --- a/windows/security/threat-protection/auditing/event-5030.md +++ b/windows/security/threat-protection/auditing/event-5030.md @@ -19,9 +19,9 @@ ms.technology: windows-sec Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message. -This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies was not started. +This event doesn't generate during Windows Firewall service failures if Windows Firewall policy is incorrect\\corrupted or one of the service dependencies wasn't started. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other System Events](audit-other-system-events.md) diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md index b54933cde7..0e6d81e9ac 100644 --- a/windows/security/threat-protection/auditing/event-5031.md +++ b/windows/security/threat-protection/auditing/event-5031.md @@ -25,7 +25,7 @@ ms.technology: windows-sec This event generates when an application was blocked from accepting incoming connections on the network by [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page). -If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you will get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. +If you don’t have any firewall rules (Allow or Deny) in Windows Firewall for specific applications, you'll get this event from [Windows Filtering Platform](/windows/win32/fwp/windows-filtering-platform-start-page) layer, because by default this layer is denying any incoming connections. > **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. @@ -82,8 +82,8 @@ For 5031(F): The Windows Firewall Service blocked an application from accepting - You can use this event to detect applications for which no Windows Firewall rules were created. -- If you have a pre-defined application which should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. +- If you have a pre-defined application that should be used to perform the operation that was reported by this event, monitor events with “**Application**” not equal to your defined application. -- You can monitor to see if “**Application**” is not in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). +- You can monitor to see if “**Application**” isn't in a standard folder (for example, not in **System32** or **Program Files**) or is in a restricted folder (for example, **Temporary Internet Files**). - If you have a pre-defined list of restricted substrings or words in application names (for example, “**mimikatz**” or “**cain.exe**”), check for these substrings in “**Application**.” \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index dbb32f1459..44d9fafb84 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -1,6 +1,6 @@ --- -title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) -description: Describes security event 5038(F) Code integrity determined that the image hash of a file is not valid. +title: 5038(F) Code integrity determined that the image hash of a file isn't valid. (Windows 10) +description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid. ms.pagetype: security ms.prod: m365-security ms.mktglfcycl: deploy @@ -14,16 +14,16 @@ ms.author: dansimp ms.technology: windows-sec --- -# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. +# 5038(F): Code integrity determined that the image hash of a file isn't valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. -This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file is not valid. +This event generates by [Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) feature, if signature of a file isn't valid. -Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. +Code Integrity is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it's loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md index 7194197d62..aec25c2291 100644 --- a/windows/security/threat-protection/auditing/event-5039.md +++ b/windows/security/threat-protection/auditing/event-5039.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV registry key virtualization. +This event occurs rarely during standard LUAFV registry key virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Registry](audit-registry.md) @@ -59,7 +59,7 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md index 67f25e7071..530cebdbe3 100644 --- a/windows/security/threat-protection/auditing/event-5051.md +++ b/windows/security/threat-protection/auditing/event-5051.md @@ -19,9 +19,9 @@ ms.technology: windows-sec This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx). -This event occurs very rarely during standard LUAFV file virtualization. +This event occurs rarely during standard LUAFV file virtualization. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit File System](audit-file-system.md) @@ -59,5 +59,5 @@ There is no example of this event in this document. ## Security Monitoring Recommendations -- There is no recommendation for this event in this document. +- There's no recommendation for this event in this document. diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md index a0be07f3bf..b8d749b9fe 100644 --- a/windows/security/threat-protection/auditing/event-5056.md +++ b/windows/security/threat-protection/auditing/event-5056.md @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md index 8ef262994a..6f251535e5 100644 --- a/windows/security/threat-protection/auditing/event-5057.md +++ b/windows/security/threat-protection/auditing/event-5057.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5057(F): A cryptographic primitive operation failed. -This event generates in case of CNG primitive operation failure. +This event generates if there's a CNG primitive operation failure. For more information about Cryptographic Next Generation (CNG) visit these pages: @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md index eaa7c1b441..42a31d7a3a 100644 --- a/windows/security/threat-protection/auditing/event-5058.md +++ b/windows/security/threat-protection/auditing/event-5058.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when an operation (read, write, delete, and so on) was performed on a file that contains a KSP key by using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -81,13 +81,13 @@ You can see these events, for example, during certificate renewal or export oper **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested key file operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested key file operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -109,7 +109,7 @@ You can see these events, for example, during certificate renewal or export oper - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -129,7 +129,7 @@ You can see these events, for example, during certificate renewal or export oper - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md index e20a614013..b8f9fb0ef7 100644 --- a/windows/security/threat-protection/auditing/event-5060.md +++ b/windows/security/threat-protection/auditing/event-5060.md @@ -27,9 +27,9 @@ For more information about CNG, visit these pages: - -This event is mainly used for CNG troubleshooting. +This event is used for CNG troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit System Integrity](audit-system-integrity.md) diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md index af59c9ccb8..58bcd9848d 100644 --- a/windows/security/threat-protection/auditing/event-5061.md +++ b/windows/security/threat-protection/auditing/event-5061.md @@ -23,7 +23,7 @@ ms.technology: windows-sec ***Event Description:*** -This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs were used: +This event generates when a cryptographic operation (open key, create key, create key, and so on) was performed using a [Key Storage Provider](/windows/win32/seccertenroll/cng-key-storage-providers) (KSP). This event generates only if one of the following KSPs was used: - Microsoft Software Key Storage Provider @@ -78,13 +78,13 @@ This event generates when a cryptographic operation (open key, create key, creat **Subject:** -- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. +- **Security ID** \[Type = SID\]**:** SID of account that requested specific cryptographic operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID can't be resolved, you'll see the source data in the event. > **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested specific cryptographic operation. -- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following: +- **Account Domain** \[Type = UnicodeString\]**:** subject’s domain or computer name. Formats vary, and include the following ones: - Domain NETBIOS name example: CONTOSO @@ -106,7 +106,7 @@ This event generates when a cryptographic operation (open key, create key, creat - Microsoft Smart Card Key Storage Provider -- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this typically has “**UNKNOWN**” value. Can also have one of the following values: +- **Algorithm Name** \[Type = UnicodeString\]: the name of cryptographic algorithm through which the key was used or accessed. For “Read persisted key from file” operation, this algorithm has “**UNKNOWN**” value. Can also have one of the following values: - RSA – algorithm created by Ron Rivest, Adi Shamir, and Leonard Adleman. @@ -126,7 +126,7 @@ This event generates when a cryptographic operation (open key, create key, creat - ECDSA\_P521 – Elliptic Curve Digital Signature Algorithm with 521-bit key length. -- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here is an output example: +- **Key Name** \[Type = UnicodeString\]: the name of the key (key container) with which operation was performed. For example, to get the list of **Key Names** for certificates for logged in user you can use “**certutil -store -user my**” command and check **Key Container** parameter in the output. Here's an output example: Certutil command illustration diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md index 5038c7efce..ca597eccaf 100644 --- a/windows/security/threat-protection/auditing/event-5063.md +++ b/windows/security/threat-protection/auditing/event-5063.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5063(S, F): A cryptographic provider operation was attempted. -This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic provider was registered or unregistered. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md index 58926d7958..ae83f4488b 100644 --- a/windows/security/threat-protection/auditing/event-5064.md +++ b/windows/security/threat-protection/auditing/event-5064.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5064(S, F): A cryptographic context operation was attempted. -This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic context was created or deleted. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md index 7e24add6fe..e382f07e2f 100644 --- a/windows/security/threat-protection/auditing/event-5065.md +++ b/windows/security/threat-protection/auditing/event-5065.md @@ -16,8 +16,7 @@ ms.technology: windows-sec # 5065(S, F): A cryptographic context modification was attempted. - -This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information was changed for existing CNG context. @@ -27,9 +26,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md index 310525c71a..6a40bb0b06 100644 --- a/windows/security/threat-protection/auditing/event-5066.md +++ b/windows/security/threat-protection/auditing/event-5066.md @@ -17,7 +17,7 @@ ms.technology: windows-sec # 5066(S, F): A cryptographic function operation was attempted. -This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These functions are Cryptographic Next Generation (CNG) functions. This event generates when cryptographic function was added or removed from the list of functions that are supported by an existing CNG context. @@ -27,9 +27,9 @@ For more information about Cryptographic Next Generation (CNG) visit these pages - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md index 509b5d140a..02b76446df 100644 --- a/windows/security/threat-protection/auditing/event-5067.md +++ b/windows/security/threat-protection/auditing/event-5067.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5067(S, F): A cryptographic function modification was attempted. -This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when configuration information for the cryptographic function of an existing CNG context was changed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md index 1214a053db..ed2e8582db 100644 --- a/windows/security/threat-protection/auditing/event-5068.md +++ b/windows/security/threat-protection/auditing/event-5068.md @@ -17,17 +17,17 @@ ms.technology: windows-sec # 5068(S, F): A cryptographic function provider operation was attempted. -This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions. +This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These functions are Cryptographic Next Generation (CNG) functions. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md index dadbcf3347..fc14219958 100644 --- a/windows/security/threat-protection/auditing/event-5069.md +++ b/windows/security/threat-protection/auditing/event-5069.md @@ -17,19 +17,19 @@ ms.technology: windows-sec # 5069(S, F): A cryptographic function property operation was attempted. -This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function. +This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This function is a Cryptographic Next Generation (CNG) function. This event generates when named property for a cryptographic function in an existing CNG context was added or removed. -For more information about Cryptographic Next Generation (CNG) visit these pages: +For more information about Cryptographic Next Generation (CNG), visit these pages: - - -This event is mainly used for Cryptographic Next Generation (CNG) troubleshooting. +This event is used for Cryptographic Next Generation (CNG) troubleshooting. -There is no example of this event in this document. +There's no example of this event in this document. ***Subcategory:*** [Audit Other Policy Change Events](audit-other-policy-change-events.md) From a861796474084c717172f517d3b562acfe4d3aca Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 22 Jun 2022 13:12:36 +0530 Subject: [PATCH 03/77] Acrolinx Enhancement Effort --- ...ss-policies-that-apply-on-a-file-server.md | 2 +- ...esource-attributes-on-files-and-folders.md | 2 +- ...r-user-and-device-claims-during-sign-in.md | 6 +- ...loying-advanced-security-audit-policies.md | 30 ++-- .../auditing/security-auditing-overview.md | 4 +- .../block-untrusted-fonts-in-enterprise.md | 26 ++-- ...tion-based-protection-of-code-integrity.md | 24 +-- ...tion-based-protection-of-code-integrity.md | 32 ++-- .../get-support-for-security-baselines.md | 8 +- .../mbsa-removal-and-guidance.md | 6 +- .../configure-md-app-guard.md | 20 +-- .../faq-md-app-guard.yml | 26 ++-- .../reqs-md-app-guard.md | 10 +- .../msft-security-dev-lifecycle.md | 4 +- ...tions-for-app-related-security-policies.md | 6 +- ...iew-of-threat-mitigations-in-windows-10.md | 44 +++--- ...-the-health-of-windows-10-based-devices.md | 144 +++++++++--------- .../access-this-computer-from-the-network.md | 16 +- .../account-lockout-duration.md | 8 +- .../security-compliance-toolkit-10.md | 6 +- 20 files changed, 212 insertions(+), 212 deletions(-) diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md index a1780808e5..15c31fb0d2 100644 --- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md +++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md @@ -23,7 +23,7 @@ ms.technology: windows-sec This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management. -Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you have not yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). +Use the following procedures to configure and verify security auditing settings that are used to monitor changes to the set of CAPs on a file server. The following procedures assume that you have configured and deployed dynamic access control, including CAPs and claims, in your network. If you haven't yet deployed dynamic access control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). **To configure settings to monitor changes to central access policies** diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md index 20be28d785..73427802a4 100644 --- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md +++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md @@ -21,7 +21,7 @@ ms.technology: windows-sec # Monitor the resource attributes on files and folders -This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects. +This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you're using advanced security auditing options to monitor dynamic access control objects. If your organization has a carefully thought out authorization configuration for resources, changes to these resource attributes can create potential security risks. Examples include: diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md index 865b1b5aaf..759bc149b4 100644 --- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md +++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md @@ -21,11 +21,11 @@ ms.technology: windows-sec # Monitor user and device claims during sign-in -This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects. +This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you're using advanced security auditing options to monitor dynamic access control objects. -Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at sign-on. For example, information about Department, Company, Project, or Security clearances might be included in the token. +Device claims are associated with the system that is used to access resources that are protected with Dynamic Access Control. User claims are attributes that are associated with a user. User claims and device claims are included in the user’s security token used at the sign-in stage. For example, information about Department, Company, Project, or Security clearances might be included in the token. -Use the following procedures to monitor changes to user claims and device claims in the user’s sign-on token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you have not yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). +Use the following procedures to monitor changes to user claims and device claims in the user’s sign-in token and to verify the changes. These procedures assume that you have configured and deployed Dynamic Access Control, including central access policies, claims, and other components, in your network. If you haven't yet deployed Dynamic Access Control in your network, see [Deploy a Central Access Policy (Demonstration Steps)](/windows-server/identity/solution-guides/deploy-a-central-access-policy--demonstration-steps-). >**Note:**  Your server might function differently based on the version and edition of the operating system that is installed, your account permissions, and your menu settings. diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md index 4f9f9b93e8..08a07d6718 100644 --- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md @@ -23,7 +23,7 @@ ms.technology: windows-sec This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies. -Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you have a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. +Organizations invest heavily in security applications and services, such as antimalware software, firewalls, and encryption. But no matter how much security hardware or software you deploy, how tightly you control the rights of users, or how carefully you configure security permissions on your data, the job isn't complete unless you've a well-defined, timely auditing strategy to track the effectiveness of your defenses and identify attempts to circumvent them. To be well-defined and timely, an auditing strategy must provide useful tracking data for an organization's most important resources, critical behaviors, and potential risks. In many organizations, it must also provide proof that IT operations comply with corporate and regulatory requirements. @@ -134,7 +134,7 @@ To effectively audit user activity, begin by listing the different types of user Also, if external users can access your organization's data, be sure to identify them. Determine whether they're a business partner, customer, or general user; the data they have access to; and the permissions they have to access that data. -The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create additional columns to differentiate between different types of network activity, such as logon hours and permission use. +The following table illustrates an analysis of users on a network. Our example contains only a single column titled "Possible auditing considerations," but you may want to create more columns to differentiate between different types of network activity, such as sign-in hours and permission use. | Groups | Data | Possible auditing considerations | | - | - | - | @@ -187,7 +187,7 @@ By using Group Policy, you can apply your security audit policy to defined group - Decide whether every policy setting that you select should be enforced across the organization or apply only to selected users or computers. You can then combine these audit policy settings into GPOs and link them to the appropriate Active Directory containers. - By default, options set in GPOs that are linked to higher levels of Active Directory sites, domains, and OUs are inherited by all OUs at lower levels. However, a GPO that's linked at a lower level can overwrite inherited policies. - For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of additional settings. To do this, you can link a second GPO to that specific lower-level OU. Then, a logon audit setting that's applied at the OU level will override a conflicting logon audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. + For example, you might use a domain GPO to assign an organization-wide group of audit settings but want a certain OU to get a defined group of extra settings. To do this assignation, you can link a second GPO to that specific lower-level OU. Then, a sign-in audit setting that's applied at the OU level will override a conflicting sign-in audit setting that's applied at the domain level, unless you've taken special steps to apply Group Policy loopback processing. - Audit policies are computer policies. Therefore, they must be applied through GPOs that are applied to *computer* OUs, not to *user* OUs. But in most cases, you can apply audit settings for only specified resources and groups of users by configuring SACLs on the relevant objects. This functionality enables auditing for a security group that contains only the users you specify. @@ -270,12 +270,12 @@ Compromise to an organization's data resources can cause tremendous financial lo The settings in the previous section relate to activity involving the files, folders, and network shares that are stored on a network. The settings in this section focus on the users who may try to access those resources, including employees, partners, and customers. -In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track a variety of user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: +In most cases, these attempts are legitimate, and the network needs to make data readily available to legitimate users. But in other cases, employees, partners, and others may try to access resources that they have no legitimate reason to access. You can use security auditing to track various user activities on a particular computer to diagnose and resolve problems for legitimate users and to identify and address illegitimate activities. The following are important settings that you should evaluate to track user activity on your network: -- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful logon attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use a variety of credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. +- **Account Logon\\[Audit Credential Validation](audit-credential-validation.md)**: This setting enables you to track all successful and unsuccessful sign-in attempts. A pattern of unsuccessful attempts may indicate that a user or application is using credentials that are no longer valid. Or the user or app is trying to use various credentials in succession in hope that one of these attempts will eventually succeed. These events occur on the computer that's authoritative for the credentials. For domain accounts, the domain controller is authoritative. For local accounts, the local computer is authoritative. - **Detailed Tracking\\[Audit Process Creation](audit-process-creation.md) and Detailed Tracking\\[Audit Process Termination](audit-process-termination.md)**: These policy settings enable you to monitor the applications that a user opens and close on a computer. -- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enable you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. -- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to log on with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. +- **DS Access\\[Audit Directory Service Access](audit-directory-service-access.md)** and **DS Access\\[Audit Directory Service Changes](audit-directory-service-changes.md)**: These policy settings provide a detailed audit trail of attempts to access, create, modify, delete, move, or undelete objects in Active Directory Domain Services (AD DS). Only domain administrators have permissions to modify AD DS objects, so it's important to identify malicious attempts to modify these objects. Also, although domain administrators should be among an organization's most trusted employees, the use of the **Audit Directory Service Access** and **Audit Directory Service Changes** settings enables you to monitor and verify that only approved changes are made to AD DS. These audit events are logged only on domain controllers. +- **Logon/Logoff\\[Audit Account Lockout](audit-account-lockout.md)**: Another common security scenario occurs when a user attempts to sign in with an account that's been locked out. It's important to identify these events and to determine whether the attempt to use an account that was locked out is malicious. - **Logon/Logoff\\[Audit Logoff](audit-logoff.md)** and **Logon/Logoff\\[Audit Logon](audit-logon.md)**: Logon and logoff events are essential to tracking user activity and detecting potential attacks. Logon events are related to the creation of logon sessions, and they occur on the computer that was accessed. For an interactive logon, events are generated on the computer that was logged on to. For network logon, such as accessing a shared resource, events are generated on the computer that hosts the resource that was accessed. Logoff events are generated when logon sessions are terminated. > [!NOTE] @@ -309,7 +309,7 @@ The following network activity policy settings enable you to monitor security-re - **Logon/Logoff\\[Audit Network Policy Server](audit-network-policy-server.md)**: Organizations that use RADIUS (IAS) and Network Access Protection (NAP) to set and maintain security requirements for external users can use this policy setting to monitor the effectiveness of these policies and to determine whether anyone is trying to circumvent these protections. - **Policy Change**: These policy settings and events enable you to track changes to important security policies on a local computer or network. Because policies are typically established by administrators to help secure network resources, monitoring any changes or attempted changes to these policies can be an important aspect of security management for a network. - **Policy Change\\[Audit Audit Policy Change](audit-audit-policy-change.md)**: This policy setting allows you to monitor changes to the audit policy. If malicious users obtain domain administrator credentials, they can temporarily disable essential security audit policy settings so that their other activities on the network can't be detected. -- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor a variety of changes to an organization's IPsec policies. +- **Policy Change\\[Audit Filtering Platform Policy Change](audit-filtering-platform-policy-change.md)**: This policy setting can be used to monitor various changes to an organization's IPsec policies. - **Policy Change\\[Audit MPSSVC Rule-Level Policy Change](audit-mpssvc-rule-level-policy-change.md)**: This policy setting determines if the operating system generates audit events when changes are made to policy rules for the Microsoft Protection Service (MPSSVC.exe), which is used by Windows Firewall. Changes to firewall rules are important for understanding the security state of the computer and how well it's protected against network attacks. ### Confirm operating system version compatibility @@ -331,9 +331,9 @@ These settings enable you to exercise much tighter control over which activities ### *Success*, *failure*, or both -Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This is an important question. The answer depends on the criticality of the event and the implications of the decision for event volume. +Whichever event settings you include in your plan, you also have to decide whether you want to log an event when the activity fails or succeeds or both successes *and* failures. This question is an important one. The answer depends on the criticality of the event and the implications of the decision for event volume. -For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. +For example, on a file server that's accessed frequently by legitimate users, you may want to log an event only when an *unsuccessful* attempt to access data takes place, because this access failure could be evidence of an unauthorized or malicious user. In this case, logging *successful* attempts to access the server would quickly fill the event log with benign events. But if the file share has sensitive information, such as trade secrets, you may want to log every access attempt so that you have an audit trail of every user who tries to access the resource. @@ -341,12 +341,12 @@ But if the file share has sensitive information, such as trade secrets, you may Networks may contain hundreds of servers that run critical services or store critical data, all of which need to be monitored. There may be tens or even hundreds of thousands of computers on the network. These numbers may not be an issue if the ratio of servers or client computers per administrator is low. And even if an administrator who is responsible for auditing security and performance issues has relatively few computers to monitor, you need to decide how the administrator will obtain event data to review. Following are some options for obtaining the event data. -- Will you keep event data on a local computer until an administrator logs on to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. -- Will you collect event data so that it can be reviewed from a central console? If so, there are a number of computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. +- Will you keep event data on a local computer until an administrator signs in to review this data? If so, the administrator needs to have physical or remote access to the Event Viewer on each client computer or server. And the remote access and firewall settings on each client computer or server need to be configured to enable this access. You also need to decide how often the administrator can visit each computer, and adjust the size of the audit log so that critical information isn't deleted if the log reaches capacity. +- Will you collect event data so that it can be reviewed from a central console? If so, there are many computer management products, such as the Audit Collection Services in Microsoft Operations Manager 2007 and 2012, that you can use to collect and filter event data. Presumably this solution enables a single administrator to review larger amounts of data than using the local storage option. But in some cases, this method can make it more difficult to detect clusters of related events that can occur on a single computer. In addition, whether you choose to leave audit data on an individual computer or consolidate it at a central location, you need to decide how large the log file should be and what happens when the log reaches its maximum size. To configure these options, open Event Viewer, expand **Windows Logs**, right-click **Security**, and select **Properties**. You can configure the following properties: -- **Overwrite events as needed (oldest events first)**: This is the default option, which is acceptable in most situations. +- **Overwrite events as needed (oldest events first)**: This option is the default one, which is acceptable in most situations. - **Archive the log when full, do not overwrite events**: This option can be used when all log data needs to be saved. But the scenario suggests that you may not be reviewing audit data frequently enough. - **Do not overwrite events (Clear logs manually)**. This option stops the collection of audit data when the log file reaches its maximum size. Older data is retained at the expense of the most recent audit events. Use this option only if you don't want to lose any audit data, don't want to create an archive of the event log, and are committed to reviewing data before the maximum log size is reached. @@ -359,7 +359,7 @@ Configuration\\Administrative Templates\\Windows Components\\Event Log Service\\ - **Retain old events**: This policy setting controls event log behavior when the log file reaches its maximum size. When this policy setting is enabled and a log file reaches its maximum size, new events aren't written to the log and are lost. When this policy setting is disabled and a log file reaches its maximum size, new events overwrite old events. - **Backup log automatically when full**: This policy setting controls event log behavior when the log file reaches its maximum size. It takes effect only if the **Retain old events** policy setting is enabled. If you enable these policy settings, the event log file is automatically closed and renamed when it's full. A new log file is then started. If you disable or don't configure this policy setting and the **Retain old events** policy setting is enabled, new events are discarded, and the old events are retained. -Many organizations are now required to store archived log files for a number of years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)). +Many organizations are now required to store archived log files for many years. Consult with regulatory compliance officers in your organization to determine whether such guidelines apply to your organization. For more information, see the [IT Compliance Management Guide](/previous-versions/tn-archive/dd206732(v=technet.10)). ## Deploy the security audit policy @@ -373,4 +373,4 @@ However, unless you can run fairly realistic simulations of network usage patter - A limited set of security audit policy settings, such as **Logon/Logoff** and **Account Logon** - A combination of limited OUs and audit policy settings—for example, targeting servers in only the Accounting OU with **Object Access** policy settings -After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include additional OUs and sets of audit policy settings until production deployment is complete. \ No newline at end of file +After you successfully complete one or more limited deployments, you should confirm that the audit data that's collected is manageable with your management tools and administrators. After you confirm that the pilot deployment is effective, you need to ensure that you have the necessary tools and staff to expand the deployment to include more OUs and sets of audit policy settings until production deployment is complete. \ No newline at end of file diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md index 1c305a4439..7d7e21c1f3 100644 --- a/windows/security/threat-protection/auditing/security-auditing-overview.md +++ b/windows/security/threat-protection/auditing/security-auditing-overview.md @@ -25,14 +25,14 @@ Topics in this section are for IT professionals and describes the security audit ## -Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you have determined to be valuable in your risk assessment. +Security auditing is one of the most powerful tools that you can use to maintain the integrity of your system. As part of your overall security strategy, you should determine the level of auditing that is appropriate for your environment. Auditing should identify attacks (successful or not) that pose a threat to your network, and attacks against resources that you've determined to be valuable in your risk assessment. ## In this section | Topic | Description | | - | - | |[Basic security audit policies](basic-security-audit-policies.md) |Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization. | -|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they are recorded and applied differently. | +|[Advanced security audit policies](./advanced-security-auditing.md) |Advanced security audit policy settings are found in **Security Settings\Advanced Audit Policy Configuration\System Audit Policies** and appear to overlap with basic security audit policies, but they're recorded and applied differently. | diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index 564c7cdfe4..95aa186d93 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -1,6 +1,6 @@ --- title: Block untrusted fonts in an enterprise (Windows 10) -description: To help protect your company from attacks which may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. +description: To help protect your company from attacks that may originate from untrusted or attacker controlled font files, we've created the Blocking Untrusted Fonts feature. ms.reviewer: manager: dansimp ms.prod: m365-security @@ -19,13 +19,13 @@ ms.technology: windows-sec > Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare). -To help protect your company from attacks which may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. +To help protect your company from attacks that may originate from untrusted or attacker-controlled font files, we’ve created the Blocking Untrusted Fonts feature. Using this feature, you can turn on a global setting that stops your employees from loading untrusted fonts processed using the Graphics Device Interface (GDI) onto your network. Untrusted fonts are any font installed outside of the `%windir%/Fonts` directory. Blocking untrusted fonts helps prevent both remote (web-based or email-based) and local EOP attacks that can happen during the font file-parsing process. ## What does this mean for me? -Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature is not turned on. +Blocking untrusted fonts helps improve your network and employee protection against font-processing-related attacks. By default, this feature isn't turned on. ## How does this feature work? -There are 3 ways to use this feature: +There are three ways to use this feature: - **On.** Helps stop any font processed using GDI from loading outside of the `%windir%/Fonts` directory. It also turns on event logging. @@ -37,9 +37,9 @@ There are 3 ways to use this feature: - **Exclude apps to load untrusted fonts.** You can exclude specific apps, allowing them to load untrusted fonts, even while this feature is turned on. For instructions, see [Fix apps having problems because of blocked fonts](#fix-apps-having-problems-because-of-blocked-fonts). ## Potential reductions in functionality -After you turn this feature on, your employees might experience reduced functionality when: +After you turn on this feature, your employees might experience reduced functionality when: -- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been specifically excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. +- Sending a print job to a remote printer server that uses this feature and where the spooler process hasn’t been excluded. In this situation, any fonts that aren’t already available in the server’s %windir%/Fonts folder won’t be used. - Printing using fonts provided by the installed printer’s graphics .dll file, outside of the %windir%/Fonts folder. For more information, see [Introduction to Printer Graphics DLLs](/windows-hardware/drivers/print/introduction-to-printer-graphics-dlls). @@ -55,13 +55,13 @@ Use Group Policy or the registry to turn this feature on, off, or to use audit m **To turn on and use the Blocking Untrusted Fonts feature through Group Policy** 1. Open the Group Policy editor (gpedit.msc) and go to `Computer Configuration\Administrative Templates\System\Mitigation Options\Untrusted Font Blocking`. -2. Click **Enabled** to turn the feature on, and then click one of the following **Mitigation Options**: +2. Click **Enabled** to turn on the feature, and then click one of the following **Mitigation Options**: - - **Block untrusted fonts and log events.** Turns the feature on, blocking untrusted fonts and logging installation attempts to the event log. + - **Block untrusted fonts and log events.** Turns on the feature, blocking untrusted fonts and logging installation attempts to the event log. - - **Do not block untrusted fonts.** Turns the feature on, but doesn't block untrusted fonts nor does it log installation attempts to the event log. + - **Do not block untrusted fonts.** Turns on the feature, but doesn't block untrusted fonts nor does it log installation attempts to the event log. - - **Log events without blocking untrusted fonts**. Turns the feature on, logging installation attempts to the event log, but not blocking untrusted fonts. + - **Log events without blocking untrusted fonts**. Turns on the feature, logging installation attempts to the event log, but not blocking untrusted fonts. 3. Click **OK**. @@ -90,7 +90,7 @@ To turn this feature on, off, or to use audit mode: 5. Restart your computer. ## View the event log -After you turn this feature on, or start using Audit mode, you can look at your event logs for details. +After you turn on this feature, or start using Audit mode, you can look at your event logs for details. **To look at your event log** @@ -128,7 +128,7 @@ After you turn this feature on, or start using Audit mode, you can look at your ## Fix apps having problems because of blocked fonts Your company may still need apps that are having problems because of blocked fonts, so we suggest that you first run this feature in Audit mode to determine which fonts are causing the problems. -After you figure out the problematic fonts, you can try to fix your apps in 2 ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted. +After you figure out the problematic fonts, you can try to fix your apps in two ways: by directly installing the fonts into the %windir%/Fonts directory or by excluding the underlying processes and letting the fonts load. As the default solution, we highly recommend that you install the problematic font. Installing fonts is safer than excluding apps because excluded apps can load any font, trusted or untrusted. **To fix your apps by installing the problematic fonts (recommended)** @@ -138,7 +138,7 @@ After you figure out the problematic fonts, you can try to fix your apps in 2 wa 1. On each computer with the app installed, open regedit.exe and go to `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\`.

For example, if you want to exclude Microsoft Word processes, you’d use `HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Winword.exe`. -2. Add any additional processes that need to be excluded here, and then turn the Blocking untrusted fonts feature on, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. +2. Add other processes that need to be excluded here, and then turn on the Blocking untrusted fonts feature, using the steps in [Turn on and use the Blocking Untrusted Fonts feature](#turn-on-and-use-the-blocking-untrusted-fonts-feature), earlier in this article. ## Related content diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md index 4a0981cf1f..b51d3cbf0e 100644 --- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md @@ -23,8 +23,8 @@ ms.technology: windows-sec This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10 and Windows 11. Some applications, including device drivers, may be incompatible with HVCI. -This can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. -If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. +This incompatibility can cause devices or software to malfunction and in rare cases may result in a blue screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. +If these issues occur, see [Troubleshooting](#troubleshooting) for remediation steps. > [!NOTE] > Because it makes use of *Mode Based Execution Control*, HVCI works better with Intel Kaby Lake or AMD Zen 2 CPUs and newer. Processors without MBEC will rely on an emulation of this feature, called *Restricted User Mode*, which has a bigger impact on performance. @@ -60,7 +60,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP] 3. Double-click **Turn on Virtualization Based Security**. -4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**. +4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI can't be disabled remotely or select **Enabled without UEFI lock**. ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png) @@ -70,7 +70,7 @@ To apply the new policy on a domain-joined computer, either restart or run `gpup ### Use registry keys to enable virtualization-based protection of code integrity -Set the following registry keys to enable HVCI. This provides exactly the same set of configuration options provided by Group Policy. +Set the following registry keys to enable HVCI. These keys provide exactly the same set of configuration options provided by Group Policy. @@ -208,7 +208,7 @@ Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windo > [!NOTE] > Mode Based Execution Control property will only be listed as available starting with Windows 10 version 1803 and Windows 11 version 21H2. -The output of this command provides details of the available hardware-based security features as well as those features that are currently enabled. +The output of this command provides details of the available hardware-based security features and those features that are currently enabled. #### AvailableSecurityProperties @@ -251,7 +251,7 @@ This field indicates whether the Windows Defender Credential Guard or HVCI servi Value | Description -|- -**0.** | No services configured. +**0.** | No services are configured. **1.** | If present, Windows Defender Credential Guard is configured. **2.** | If present, HVCI is configured. **3.** | If present, System Guard Secure Launch is configured. @@ -279,7 +279,7 @@ This field indicates whether VBS is enabled and running. Value | Description -|- -**0.** | VBS is not enabled. +**0.** | VBS isn't enabled. **1.** | VBS is enabled but not running. **2.** | VBS is enabled and running. @@ -295,7 +295,7 @@ Another method to determine the available and enabled Windows Defender Device Gu A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**. -B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. +B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you're able to sign in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from `\Windows\System32\CodeIntegrity\` and then restart your device. @@ -315,7 +315,7 @@ C. If you experience a critical error during boot or your system is unstable aft HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Application Control are the same from within the virtual machine. -WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine: +WDAC protects against malware running in the guest virtual machine. It doesn't provide extra protection from the host administrator. From the host, you can disable WDAC for a virtual machine: ```powershell Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true @@ -324,6 +324,6 @@ Set-VMSecurity -VMName -VirtualizationBasedSecurityOptOut $true ### Requirements for running HVCI in Hyper-V virtual machines - The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607. - The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. -- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the HyperV role on the virtual machine, you must first install the HyperV role in a Windows nested virtualization environment. -- Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. -- The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- HVCI and [nested virtualization](/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) can be enabled at the same time. To enable the Hyper-V role on the virtual machine, you must first install the Hyper-V role in a Windows nested virtualization environment. +- Virtual Fibre Channel adapters aren't compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`. +- The AllowFullSCSICommandSet option for pass-through disks isn't compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`. diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md index bec34fe509..7a99baa345 100644 --- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md +++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md @@ -1,6 +1,6 @@ --- title: Deployment guidelines for Windows Defender Device Guard (Windows 10) -description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. +description: Plan your deployment of Hypervisor-Protected Code Integrity (also known as Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies. keywords: virtualization, security, malware ms.prod: m365-security ms.mktglfcycl: deploy @@ -16,12 +16,12 @@ ms.author: dansimp ms.technology: windows-sec --- -# Baseline protections and additional qualifications for virtualization-based protection of code integrity +# Baseline protections and other qualifications for virtualization-based protection of code integrity **Applies to** - Windows 10 -Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. +Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers won't be as hardened against certain threats. For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. @@ -38,42 +38,42 @@ The following tables provide more information about the hardware, firmware, and |Baseline Protections | Description | Security benefits | |--------------------------------|----------------------------------------------------|-------------------| | Hardware: **64-bit CPU** | A 64-bit computer is required for the Windows hypervisor to provide VBS. | | -| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. | -| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. | +| Hardware: **CPU virtualization extensions**,
plus **extended page tables** | These hardware features are required for VBS:
One of the following virtualization extensions:
• VT-x (Intel) or
• AMD-V
And:
• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system can't be exploited because of this isolation. | +| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This guarantee can prevent boot kits and root kits from installing and persisting across reboots. | | Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. | -| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. | +| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware can't run in kernel. Only code verified through code integrity can run in kernel mode. | | Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise

Important:
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.

| Support for VBS and for management features. | > **Important**  The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide. -## Additional qualifications for improved security +## Other qualifications for improved security -The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met. +The following tables describe other hardware and firmware qualifications, and the improved security that is available when these qualifications are met. -### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 +### More security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. | +| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.
• In the BIOS configuration, BIOS authentication must be set.
• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.
• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This guarantee helps protect against a physically present user with BIOS access.
• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016 +### More security qualifications starting with Windows 10, version 1607, and Windows Server 2016 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|-----| -| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. | +| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies).
• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.
• HSTI 1.1.a provides extra security assurance for correctly secured silicon and platform. | | Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. | -| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. | +| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.
• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should use ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.
• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-### Additional security qualifications starting with Windows 10, version 1703 +### More security qualifications starting with Windows 10, version 1703 | Protections for Improved Security | Description | Security benefits | |---------------------------------------------|----------------------------------------------------|------| -| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | -| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. | +| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
• UEFI runtime service must meet these requirements:
    • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
    • PE sections need to be page-aligned in memory (not required for in non-volitile storage).
    • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
        • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
        • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.

Notes:
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.


Also note the following guidelines:
• Don't use sections that are both writeable and executable
• Don't attempt to directly modify executable system memory
• Don't use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. | +| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks other security attacks against SMM. | diff --git a/windows/security/threat-protection/get-support-for-security-baselines.md b/windows/security/threat-protection/get-support-for-security-baselines.md index 2159488c70..deb5111821 100644 --- a/windows/security/threat-protection/get-support-for-security-baselines.md +++ b/windows/security/threat-protection/get-support-for-security-baselines.md @@ -17,7 +17,7 @@ ms.technology: windows-sec **What is the Microsoft Security Compliance Manager (SCM)?** -The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we have moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. +The Security Compliance Manager (SCM) is now retired and is no longer supported. The reason is that SCM was an incredibly complex and large program that needed to be updated for every Windows release. It has been replaced by the Security Compliance Toolkit (SCT). To provide a better service for our customers, we've moved to SCT with which we can publish baselines through the Microsoft Download Center in a lightweight .zip file that contains GPO backups, GPO reports, Excel spreadsheets, WMI filters, and scripts to apply the settings to local policy. More information about this change can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/security-compliance-manager-scm-retired-new-tools-and-procedures). @@ -32,11 +32,11 @@ Any version of Windows baseline before Windows 10 1703 can still be downloaded u **What file formats are supported by the new SCT?** -The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. See the LGPO documentation for more information. Keep in mind that SCM’s .cab files are no longer supported. +The toolkit supports formats created by the Windows GPO backup feature (.pol, .inf, and .csv). Policy Analyzer saves its data in XML files with a .PolicyRules file extension. LGPO also supports its own LGPO text file format as a text-based analog for the binary registry.pol file format. For more information, see the LGPO documentation. Keep in mind that SCMs' .cab files are no longer supported. **Does SCT support Desired State Configuration (DSC) file format?** -Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We are currently developing a tool to provide customers with these features. +Not yet. PowerShell-based DSC is rapidly gaining popularity, and more DSC tools are coming online to convert GPOs and DSC and to validate system configuration. We're currently developing a tool to provide customers with these features. **Does SCT support the creation of Microsoft Endpoint Manager DCM packs?** @@ -44,7 +44,7 @@ No. A potential alternative is Desired State Configuration (DSC), a feature of t **Does SCT support the creation of Security Content Automation Protocol (SCAP)-format policies?** -No. SCM supported only SCAP 1.0, which was not updated as SCAP evolved. The new toolkit likewise does not include SCAP support. +No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new toolkit likewise doesn't include SCAP support.
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index c8fafe64a7..b38ebe2069 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -12,9 +12,9 @@ ms.technology: windows-sec # What is Microsoft Baseline Security Analyzer and its uses? -Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these additional checks had not been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. +Microsoft Baseline Security Analyzer (MBSA) is used to verify patch compliance. MBSA also performed several other security checks for Windows, IIS, and SQL Server. Unfortunately, the logic behind these extra checks hadn't been actively maintained since Windows XP and Windows Server 2003. Changes in the products since then rendered many of these security checks obsolete and some of their recommendations counterproductive. -MBSA was largely used in situations where neither Microsoft Update nor a local WSUS or Configuration Manager server was available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 is not updated to fully support Windows 10 and Windows Server 2016. +MBSA was largely used in situations where Microsoft Update a local WSUS or Configuration Manager server wasn't available, or as a compliance tool to ensure that all security updates were deployed to a managed environment. While MBSA version 2.3 introduced support for Windows Server 2012 R2 and Windows 8.1, it has since been deprecated and no longer developed. MBSA 2.3 isn't updated to fully support Windows 10 and Windows Server 2016. > [!NOTE] > In accordance with our [SHA-1 deprecation initiative](https://aka.ms/sha1deprecation), the Wsusscn2.cab file is no longer dual-signed using both SHA-1 and the SHA-2 suite of hash algorithms (specifically SHA-256). This file is now signed using only SHA-256. Administrators who verify digital signatures on this file should now expect only single SHA-256 signatures. Starting with the August 2020 Wsusscn2.cab file, MBSA will return the following error "The catalog file is damaged or an invalid catalog." when attempting to scan using the offline scan file. @@ -31,7 +31,7 @@ For example: [![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it. -The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers. +The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it doesn't contain any information on non-security updates, tools or drivers. ## More Information diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md index 99819da4d5..6e85b47920 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md @@ -11,7 +11,7 @@ ms.author: deniseb ms.date: 03/10/2022 ms.reviewer: manager: dansimp -ms.custom: asr +ms.custom: sasr ms.technology: windows-sec --- @@ -36,8 +36,8 @@ These settings, located at `Computer Configuration\Administrative Templates\Netw |Policy name|Supported versions|Description| |-----------|------------------|-----------| |Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| -|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.

Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.

Note that this list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.

This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment.

This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards @@ -54,18 +54,18 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind |Name|Supported versions|Description|Options| |-----------|------------------|-----------|-------| |Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:
- Disable the clipboard functionality completely when Virtualization Security is enabled.
- Enable copying of certain content from Application Guard into Microsoft Edge.
- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.| -|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| +|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:
- Enable Application Guard to print into the XPS format.
- Enable Application Guard to print into the PDF format.
- Enable Application Guard to print to locally attached printers.
- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.

**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.| |Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer|Windows 10 Enterprise, 1709 or higher

Windows 11|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.

**NOTE**: This action might also block assets cached by CDNs and references to analytics sites. Add them to the trusted enterprise resources to avoid broken pages.

**Disabled or not configured.** Prevents Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. | |Allow Persistence|Windows 10 Enterprise, 1709 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

**Disabled or not configured.** All user data within Application Guard is reset between sessions.

**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.

**To reset the container:**
1. Open a command-line program and navigate to `Windows/System32`.
2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.
3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.| -|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| -|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users are not able to save downloaded files from Application Guard to the host operating system.| -|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| -|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| -|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates are not shared with Microsoft Defender Application Guard.| +|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher

Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:
- Enable Microsoft Defender Application Guard only for Microsoft Edge
- Enable Microsoft Defender Application Guard only for Microsoft Office
- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office

**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office.| +|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher

Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.

**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.| +|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher

Windows 10 Pro, 1803 or higher

Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.| +|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.

**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.| +|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.

**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.| |Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher

Windows 10 Pro, 1809 or higher

Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.

**Disabled or not configured.** event logs aren't collected from your Application Guard container.| ## Application Guard support dialog settings -These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you are presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it is possible to provide additional information in the dialog box. +These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box. [Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information). diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index b641427ea4..a11ce82298 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -41,16 +41,16 @@ sections: answer: | The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements. - To make sure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: + To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - - Verify this by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. - question: | How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? answer: | - Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. + Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune. - question: | Which Input Method Editors (IME) in 19H1 aren't supported? @@ -73,19 +73,19 @@ sections: - question: | I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering? answer: | - This feature is currently experimental only and isn't functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. + This feature is currently experimental only and isn't functional without an extra registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature. - question: | What is the WDAGUtilityAccount local account? answer: | - WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It is NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error: + WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error: **Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000** - question: | How do I trust a subdomain in my site list? answer: | - To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted. + To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted. - question: | Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? @@ -128,7 +128,7 @@ sections: - question: | Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file? answer: | - This is a known issue. To mitigate this you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: + This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources: - [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md) - [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md) @@ -143,7 +143,7 @@ sections: - Port 67 ### Second rule (DHCP Client) - This is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: + This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps: 1. Right-click on inbound rules, and then create a new rule. @@ -171,17 +171,17 @@ sections: - question: | How can I disable portions of ICS without breaking Application Guard? answer: | - ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. + ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys. 1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**. 2. Disable IpNat.sys from ICS load as follows:
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1` - 3. Configure ICS (SharedAccess) to enabled as follows:
+ 3. Configure ICS (SharedAccess) to be enabled as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3` - 4. (This is optional) Disable IPNAT as follows:
+ 4. (This step is optional) Disable IPNAT as follows:
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4` 5. Reboot the device. @@ -210,9 +210,9 @@ sections: - `{71a27cdd-812a-11d0-bec7-08002be2092f}` - question: | - I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + I'm encountering TCP fragmentation issues, and can't enable my VPN connection. How do I fix this issue? answer: | - WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this solution has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index d91da6e81c..ddf7e13d0d 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -33,11 +33,11 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Hardware | Description | |--------|-----------| -| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| | CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**AND**

One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V | -| Hardware memory | Microsoft requires a minimum of 8GB RAM | -| Hard disk | 5 GB free space, solid state disk (SSD) recommended | -| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended | +| Hardware memory | Microsoft requires a minimum of 8-GB RAM | +| Hard disk | 5-GB free space, solid state disk (SSD) recommended | +| Input/Output Memory Management Unit (IOMMU) support| Not required, but recommended | ## Software requirements @@ -45,6 +45,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions.
Windows 11 | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other third-party mobile device management (MDM) solutions aren't supported with MDAG for Professional editions.
Windows 11 | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Mirosoft MDM solutions, see the documentation that came with your product. | diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md index 9be071fa44..e6403fafa5 100644 --- a/windows/security/threat-protection/msft-security-dev-lifecycle.md +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -1,6 +1,6 @@ --- title: Microsoft Security Development Lifecycle -description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +description: Download the Microsoft Security Development Lifecycle white paper that covers a security assurance process focused on software development. ms.prod: m365-security author: dansimp ms.author: dansimp @@ -18,7 +18,7 @@ The Security Development Lifecycle (SDL) is a security assurance process that is [:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) -Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. +With the help of the combination of a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. The Microsoft SDL is based on three core concepts: - Education diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md index 681a9ae413..c19f67e476 100644 --- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md +++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md @@ -22,14 +22,14 @@ Windows 10 includes Group Policy-configurable “Process Mitigation Options” t > [!IMPORTANT] > We recommend trying these mitigations in a test lab before deploying to your organization, to determine if they interfere with your organization’s required apps. -The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure additional protections. The types of process mitigations are: +The Group Policy settings in this topic are related to three types of process mitigations. In Windows 10, all three types are on by default for 64-bit applications, but by using the Group Policy settings described in this topic, you can configure more protections. The types of process mitigations are: - **Data Execution Prevention (DEP)** is a system-level memory protection feature that enables the operating system to mark one or more pages of memory as non-executable, preventing code from being run from that region of memory, to help prevent exploitation of buffer overruns. DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. For more information, see [Data Execution Prevention](overview-of-threat-mitigations-in-windows-10.md#data-execution-prevention). -- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). +- **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. For more information, see [Structured Exception Handling Overwrite Protection](overview-of-threat-mitigations-in-windows-10.md#structured-exception-handling-overwrite-protection). - **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time to mitigate against malware that’s designed to attack specific memory locations, where specific DLLs are expected to be loaded. For more information, see [Address Space Layout Randomization](overview-of-threat-mitigations-in-windows-10.md#address-space-layout-randomization). - To find additional ASLR protections in the table below, look for `IMAGES` or `ASLR`. + To find more ASLR protections in the table below, look for `IMAGES` or `ASLR`. The following procedure describes how to use Group Policy to override individual **Process Mitigation Options** settings. diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md index 436d94ab00..804ade53d1 100644 --- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md +++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md @@ -21,7 +21,7 @@ This topic provides an overview of some of the software and firmware threats fac |--------------|-------------------------| | [The security threat landscape](#threat-landscape) | Describes the current nature of the security threat landscape, and outlines how Windows 10 is designed to mitigate software exploits and similar threats. | | [Windows 10 mitigations that you can configure](#windows-10-mitigations-that-you-can-configure) | Provides tables of configurable threat mitigations with links to more information. Product features such as Device Guard appear in [Table 1](#windows-10-mitigations-that-you-can-configure), and memory protection options such as Data Execution Prevention appear in [Table 2](#table-2). | -| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they are built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | +| [Mitigations that are built in to Windows 10](#mitigations-that-are-built-in-to-windows-10) | Provides descriptions of Windows 10 mitigations that require no configuration—they're built into the operating system. For example, heap protections and kernel pool protections are built into Windows 10. | | [Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit](#understanding-windows-10-in-relation-to-the-enhanced-mitigation-experience-toolkit) | Describes how mitigations in the [Enhanced Mitigation Experience Toolkit (EMET)](https://www.microsoft.com/download/details.aspx?id=48240) correspond to features built into Windows 10 and how to convert EMET settings into mitigation policies for Windows 10. | This topic focuses on pre-breach mitigations aimed at device protection and threat resistance. These protections work with other security defenses in Windows 10, as shown in the following illustration: @@ -60,7 +60,7 @@ Windows 10 mitigations that you can configure are listed in the following two ta | **Device Guard**
helps keep a device
from running malware or
other untrusted apps | Device Guard includes a Code Integrity policy that you create; an allowlist of trusted apps—the only apps allowed to run in your organization. Device Guard also includes a powerful system mitigation called hypervisor-protected code integrity (HVCI), which uses virtualization-based security (VBS) to protect Windows' kernel-mode code integrity validation process. HVCI has specific hardware requirements, and works with Code Integrity policies to help stop attacks even if they gain access to the kernel.
Device Guard is included in Windows 10 Enterprise and Windows Server 2016.

**More information**: [Introduction to Device Guard](/windows/device-security/device-guard/introduction-to-device-guard-virtualization-based-security-and-code-integrity-policies) | | **Microsoft Defender Antivirus**,
which helps keep devices
free of viruses and other
malware | Windows 10 includes Microsoft Defender Antivirus, a robust inbox anti-malware solution. Microsoft Defender Antivirus has been improved to a considerable extent since it was introduced in Windows 8.

**More information**: [Microsoft Defender Antivirus](#microsoft-defender-antivirus), later in this topic | | **Blocking of untrusted fonts**
helps prevent fonts
from being used in
elevation-of-privilege attacks | Block Untrusted Fonts is a setting that allows you to prevent users from loading fonts that are "untrusted" onto your network, which can mitigate elevation-of-privilege attacks associated with the parsing of font files. However, as of Windows 10, version 1703, this mitigation is less important, because font parsing is isolated in an [AppContainer sandbox](/windows/win32/secauthz/appcontainer-isolation) (for a list describing this and other kernel pool protections, see [Kernel pool protections](#kernel-pool-protections), later in this topic).

**More information**: [Block untrusted fonts in an enterprise](/windows/threat-protection/block-untrusted-fonts-in-enterprise) | -| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps will not be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

**More information**: [Table 2](#table-2), later in this topic | +| **Memory protections**
help prevent malware
from using memory manipulation
techniques such as buffer
overruns | These mitigations, listed in [Table 2](#table-2), help to protect against memory-based attacks, where malware or other code manipulates memory to gain control of a system (for example, malware that attempts to use buffer overruns to inject malicious executable code into memory. Note:
A subset of apps won't be able to run if some of these mitigations are set to their most restrictive settings. Testing can help you maximize protection while still allowing these apps to run.

**More information**: [Table 2](#table-2), later in this topic | | **UEFI Secure Boot**
helps protect
the platform from
boot kits and rootkits | Unified Extensible Firmware Interface (UEFI) Secure Boot is a security standard for firmware built in to PCs by manufacturers beginning with Windows 8. It helps to protect the boot process and firmware against tampering, such as from a physically present attacker or from forms of malware that run early in the boot process or in kernel after startup.

**More information**: [UEFI and Secure Boot](/windows/device-security/bitlocker/bitlocker-countermeasures#uefi-and-secure-boot) | | **Early Launch Antimalware (ELAM)**
helps protect
the platform from
rootkits disguised as drivers | Early Launch Antimalware (ELAM) is designed to enable the anti-malware solution to start before all non-Microsoft drivers and apps. If malware modifies a boot-related driver, ELAM will detect the change, and Windows will prevent the driver from starting, thus blocking driver-based rootkits.

**More information**: [Early Launch Antimalware](/windows/device-security/bitlocker/bitlocker-countermeasures#protection-during-startup) | | **Device Health Attestation**
helps prevent
compromised devices from
accessing an organization's
assets | Device Health Attestation (DHA) provides a way to confirm that devices attempting to connect to an organization's network are in a healthy state, not compromised with malware. When DHA has been configured, a device's actual boot data measurements can be checked against the expected "healthy" boot data. If the check indicates a device is unhealthy, the device can be prevented from accessing the network.

**More information**: [Control the health of Windows 10-based devices](/windows/device-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices) and [Device Health Attestation](/windows-server/security/device-health-attestation) | @@ -73,8 +73,8 @@ As an IT professional, you can ask application developers and software vendors t | Mitigation and corresponding threat | Description | |---|---| -| **Data Execution Prevention (DEP)**
helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications do not.
**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | -| **SEHOP**
helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they have been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **Data Execution Prevention (DEP)**
helps prevent
exploitation of buffer overruns | **Data Execution Prevention (DEP)** is a system-level memory protection feature available in Windows operating systems. DEP enables the operating system to mark one or more pages of memory as non-executable, which prevents code from being run from that region of memory, to help prevent exploitation of buffer overruns.
DEP helps prevent code from being run from data pages such as the default heap, stacks, and memory pools. Although some applications have compatibility problems with DEP, most applications don't.
**More information**: [Data Execution Prevention](#data-execution-prevention), later in this topic.

**Group Policy settings**: DEP is on by default for 64-bit applications, but you can configure more DEP protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | +| **SEHOP**
helps prevent
overwrites of the
Structured Exception Handler | **Structured Exception Handling Overwrite Protection (SEHOP)** is designed to help block exploits that use the Structured Exception Handler (SEH) overwrite technique. Because this protection mechanism is provided at run-time, it helps to protect apps regardless of whether they've been compiled with the latest improvements. A few applications have compatibility problems with SEHOP, so be sure to test for your environment.
**More information**: [Structured Exception Handling Overwrite Protection](#structured-exception-handling-overwrite-protection), later in this topic.

**Group Policy setting**: SEHOP is on by default for 64-bit applications, but you can configure more SEHOP protections by using the Group Policy setting described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | | **ASLR**
helps mitigate malware
attacks based on
expected memory locations | **Address Space Layout Randomization (ASLR)** loads DLLs into random memory addresses at boot time. This loading - of specific DLLs -helps mitigate malware that's designed to attack specific memory locations.
**More information**: [Address Space Layout Randomization](#address-space-layout-randomization), later in this topic.

**Group Policy settings**: ASLR is on by default for 64-bit applications, but you can configure more ASLR protections by using the Group Policy settings described in [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). | ### Windows Defender SmartScreen @@ -147,7 +147,7 @@ You can use Control Panel to view or change DEP settings. - **Turn on DEP for essential Windows programs and services only** - - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP will not be turned on. + - **Turn on DEP for all programs and services except those I select**. If you choose this option, use the **Add** and **Remove** buttons to create the list of exceptions for which DEP won't be turned on. #### To use Group Policy to control DEP settings @@ -155,7 +155,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ### Structured Exception Handling Overwrite Protection -Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they have been compiled with the latest improvements. +Structured Exception Handling Overwrite Protection (SEHOP) helps prevent attackers from being able to use malicious code to exploit the [Structured Exception Handling](/windows/win32/debug/structured-exception-handling) (SEH), which is integral to the system and allows (non-malicious) apps to handle exceptions appropriately. Because this protection mechanism is provided at run-time, it helps to protect applications regardless of whether they've been compiled with the latest improvements. You can use the Group Policy setting called **Process Mitigation Options** to control the SEHOP setting. A few applications have compatibility problems with SEHOP, so be sure to test for your environment. To use the Group Policy setting, see [Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md). @@ -163,7 +163,7 @@ You can use the Group Policy setting called **Process Mitigation Options** to co One of the most common techniques used to gain access to a system is to find a vulnerability in a privileged process that is already running, guess or find a location in memory where important system code and data have been placed, and then overwrite that information with a malicious payload. Any malware that could write directly to the system memory could overwrite it in well-known and predictable locations. -Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. +Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it's more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts. :::image type="content" alt-text="ASLR at work." source="images/security-fig4-aslr.png" lightbox="images/security-fig4-aslr.png"::: @@ -175,9 +175,9 @@ You can use the Group Policy setting called **Process Mitigation Options** to co ## Mitigations that are built in to Windows 10 -Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The table that follows describes some of these mitigations. +Windows 10 provides many threat mitigations to protect against exploits that are built into the operating system and need no configuration within the operating system. The subsequent table describes some of these mitigations. -Control Flow Guard (CFG) is a mitigation that does not need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they are compiled. +Control Flow Guard (CFG) is a mitigation that doesn't need configuration within the operating system, but does require an application developer to configure the mitigation into the application when it's compiled. CFG is built into Microsoft Edge, IE11, and other areas in Windows 10, and can be built into many other applications when they're compiled. ### Table 3   Windows 10 mitigations to protect against memory exploits – no configuration needed @@ -188,7 +188,7 @@ Control Flow Guard (CFG) is a mitigation that does not need configuration within | **Universal Windows apps protections**
screen downloadable
apps and run them in
an AppContainer sandbox | Universal Windows apps are carefully screened before being made available, and they run in an AppContainer sandbox with limited privileges and capabilities.

**More information**: [Universal Windows apps protections](#universal-windows-apps-protections), later in this topic. | | **Heap protections**
help prevent
exploitation of the heap | Windows 10 includes protections for the heap, such as the use of internal data structures that help protect against corruption of memory used by the heap.

**More information**: [Windows heap protections](#windows-heap-protections), later in this topic. | | **Kernel pool protections**
help prevent
exploitation of pool memory
used by the kernel | Windows 10 includes protections for the pool of memory used by the kernel. For example, safe unlinking protects against pool overruns that are combined with unlinking operations that can be used to create an attack.

**More information**: [Kernel pool protections](#kernel-pool-protections), later in this topic. | -| **Control Flow Guard**
helps mitigate exploits
based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It is built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | +| **Control Flow Guard**
helps mitigate exploits
based on
flow between code locations
in memory | Control Flow Guard (CFG) is a mitigation that requires no configuration within the operating system, but instead is built into software when it's compiled. It's built into Microsoft Edge, IE11, and other areas in Windows 10. CFG can be built into applications written in C or C++, or applications compiled using Visual Studio 2015.
For such an application, CFG can detect an attacker's attempt to change the intended flow of code. If this attempt occurs, CFG terminates the application. You can request software vendors to deliver Windows applications compiled with CFG enabled.

**More information**: [Control Flow Guard](#control-flow-guard), later in this topic. | | **Protections built into Microsoft Edge** (the browser)
helps mitigate multiple
threats | Windows 10 includes an entirely new browser, Microsoft Edge, designed with multiple security improvements.

**More information**: [Microsoft Edge and Internet Explorer 11](#microsoft-edge-and-internet-explorer11), later in this topic. | ### SMB hardening improvements for SYSVOL and NETLOGON shares @@ -206,7 +206,7 @@ With Protected Processes, Windows 10 prevents untrusted processes from interacti ### Universal Windows apps protections -When users download Universal Windows apps from the Microsoft Store, it's unlikely that they will encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. +When users download Universal Windows apps from the Microsoft Store, it's unlikely that they'll encounter malware because all apps go through a careful screening process before being made available in the store. Apps that organizations build and distribute through sideloading processes will need to be reviewed internally to ensure that they meet organizational security requirements. Regardless of how users acquire Universal Windows apps, they can use them with increased confidence. Universal Windows apps run in an AppContainer sandbox with limited privileges and capabilities. For example, Universal Windows apps have no system-level access, have tightly controlled interactions with other apps, and have no access to data unless the user explicitly grants the application permission. @@ -226,7 +226,7 @@ Windows 10 has several important improvements to the security of the heap: ### Kernel pool protections -The operating system kernel in Windows sets aside two pools of memory, one which remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. +The operating system kernel in Windows sets aside two pools of memory, one that remains in physical memory ("nonpaged pool") and one that can be paged in and out of physical memory ("paged pool"). There are many mitigations that have been added over time, such as process quota pointer encoding; lookaside, delay free, and pool page cookies; and PoolIndex bounds checks. Windows 10 adds multiple "pool hardening" protections, such as integrity checks, that help protect the kernel pool against more advanced attacks. In addition to pool hardening, Windows 10 includes other kernel hardening features: @@ -240,23 +240,23 @@ In addition to pool hardening, Windows 10 includes other kernel hardening featur - **Safe unlinking:** Helps protect against pool overruns that are combined with unlinking operations to create an attack. Windows 10 includes global safe unlinking, which extends heap and kernel pool safe unlinking to all usage of LIST\_ENTRY and includes the "FastFail" mechanism to enable rapid and safe process termination. -- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps are not allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. +- **Memory reservations**: The lowest 64 KB of process memory is reserved for the system. Apps aren't allowed to allocate that portion of the memory. This allocation for the system makes it more difficult for malware to use techniques such as "NULL dereference" to overwrite critical system data structures in memory. ### Control Flow Guard -When applications are loaded into memory, they are allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they are written in the code itself—but previous to Windows 10, the flow between these locations was not enforced, which gave attackers the opportunity to change the flow to meet their needs. +When applications are loaded into memory, they're allocated space based on the size of the code, requested memory, and other factors. When an application begins to execute code, it calls the other code located in other memory addresses. The relationships between the code locations are well known—they're written in the code itself—but previous to Windows 10, the flow between these locations wasn't enforced, which gave attackers the opportunity to change the flow to meet their needs. -This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location is not trusted, the application is immediately terminated as a potential security risk. +This kind of threat is mitigated in Windows 10 through the Control Flow Guard (CFG) feature. When a trusted application that was compiled to use CFG calls code, CFG verifies that the code location called is trusted for execution. If the location isn't trusted, the application is immediately terminated as a potential security risk. -An administrator cannot configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard). +An administrator can't configure CFG; rather, an application developer can take advantage of CFG by configuring it when the application is compiled. Consider asking application developers and software vendors to deliver trustworthy Windows applications compiled with CFG enabled. For example, it can be enabled for applications written in C or C++, or applications compiled using Visual Studio 2015. For information about enabling CFG for a Visual Studio 2015 project, see [Control Flow Guard](/windows/win32/secbp/control-flow-guard). Browsers are a key entry point for attacks, so Microsoft Edge, IE, and other Windows features take full advantage of CFG. ### Microsoft Edge and Internet Explorer 11 -Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users cannot perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. +Browser security is a critical component of any security strategy, and for good reason: the browser is the user's interface to the Internet, an environment with many malicious sites and content waiting to attack. Most users can't perform at least part of their job without a browser, and many users are reliant on one. This reality has made the browser the common pathway from which malicious hackers initiate their attacks. -All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. Keeping Windows 10 secure for web browsing and applications, especially for these two content types, is a priority. +All browsers enable some amount of extensibility to do things beyond the original scope of the browser. Two common examples are Flash and Java extensions that enable their respective applications to run inside a browser. The security of Windows 10 for the purposes of web browsing and applications, especially for these two content types, is a priority. Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is more secure in multiple ways, especially: @@ -270,13 +270,13 @@ Windows 10 includes an entirely new browser, Microsoft Edge. Microsoft Edge is m - **Simplifies security configuration tasks.** Because Microsoft Edge uses a simplified application structure and a single sandbox configuration, there are fewer required security settings. In addition, Microsoft Edge default settings align with security best practices, making it more secure by default. -In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that do not work with Microsoft Edge. You cannot configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. +In addition to Microsoft Edge, Microsoft includes IE11 in Windows 10, primarily for backwards-compatibility with websites and with binary extensions that don't work with Microsoft Edge. You can't configure it as the primary browser but rather as an optional or automatic switchover. We recommend using Microsoft Edge as the primary web browser because it provides compatibility with the modern web and the best possible security. For sites that require IE11 compatibility, including those sites that require binary extensions and plug-ins, enable Enterprise mode and use the Enterprise Mode Site List to define which sites have the dependency. With this configuration, when Microsoft Edge identifies a site that requires IE11, users will automatically be switched to IE11. ### Functions that software vendors can use to build mitigations into apps -Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you are working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. +Some of the protections available in Windows 10 are provided through functions that can be called from apps or other software. Such software is less likely to provide openings for exploits. If you're working with a software vendor, you can request that they include these security-oriented functions in the application. The following table lists some types of mitigations and the corresponding security-oriented functions that can be used in apps. > [!NOTE] > Control Flow Guard (CFG) is also an important mitigation that a developer can include in software when it is compiled. For more information, see [Control Flow Guard](#control-flow-guard), earlier in this topic. @@ -297,7 +297,7 @@ Some of the protections available in Windows 10 are provided through functions t ## Understanding Windows 10 in relation to the Enhanced Mitigation Experience Toolkit -You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore have not been brought into Windows 10. +You might already be familiar with the [Enhanced Mitigation Experience Toolkit (EMET)](https://support.microsoft.com/topic/emet-mitigations-guidelines-b529d543-2a81-7b5a-d529-84b30e1ecee0), which has since 2009 offered various exploit mitigations, and an interface for configuring those mitigations. You can use this section to understand how EMET mitigations relate to those mitigations in Windows 10. Many of EMET's mitigations have been built into Windows 10, some with extra improvements. However, some EMET mitigations carry high-performance cost, or appear to be relatively ineffective against modern threats, and therefore haven't been brought into Windows 10. Because many of EMET's mitigations and security mechanisms already exist in Windows 10 and have been improved, particularly the ones assessed to have high effectiveness at mitigating known bypasses, version 5.5*x* has been announced as the final major version release for EMET (see [Enhanced Mitigation Experience Toolkit](https://web.archive.org/web/20170928073955/https://technet.microsoft.com/en-US/security/jj653751)). @@ -310,7 +310,7 @@ The following table lists EMET features in relation to Windows 10 features. |

  • DEP
  • SEHOP
  • ASLR (Force ASLR, Bottom-up ASLR)|DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See [Table 2](#table-2), earlier in this topic.You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10.| |
  • Load Library Check (LoadLib)
  • Memory Protection Check (MemProt)|LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See [Table 4](#functions-that-software-vendors-can-use-to-build-mitigations-into-apps), earlier in this topic.| |Null Page|Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in [Kernel pool protections](#kernel-pool-protections), earlier in this topic.| -|
  • Heap Spray
  • EAF
  • EAF+|Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.| +|
  • Heap Spray
  • EAF
  • EAF+|Windows 10 doesn't include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and don't significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them.| |
  • Caller Check
  • Simulate Execution Flow
  • Stack Pivot
  • Deep Hooks (an ROP "Advanced Mitigation")
  • Anti Detours (an ROP "Advanced Mitigation")
  • Banned Functions (an ROP "Advanced Mitigation")|Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in [Control Flow Guard](#control-flow-guard), earlier in this topic.| ### Converting an EMET XML settings file into Windows 10 mitigation policies diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md index ed70e30816..36714ba7df 100644 --- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md +++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md @@ -35,7 +35,7 @@ Windows 10 is an important component of an end-to-end security solution that foc ## Description of a robust end-to-end security solution -Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there is no doubt that malware now targets both consumers and professionals in all industries. +Today’s computing threat landscape is increasing at a speed never encountered before. The sophistication of criminal attacks is growing, and there's no doubt that malware now targets both consumers and professionals in all industries. During recent years, one particular category of threat has become prevalent: advanced persistent threats (APTs). The term APT is commonly used to describe any attack that seems to target individual organizations on an on-going basis. In fact, this type of attack typically involves determined adversaries who may use any methods or techniques necessary. @@ -61,7 +61,7 @@ The following figure shows a solution built to assess device health from the clo Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot. -Secure Boot is a firmware validation process that helps prevent rootkit attacks; it is part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. +Secure Boot is a firmware validation process that helps prevent rootkit attacks; it's part of the UEFI specification. The intent of UEFI is to define a standard way for the operating system to communicate with modern hardware, which can perform faster and with more efficient input/output (I/O) functions than older, software interrupt-driven BIOS systems. A device health attestation module can communicate measured boot data that is protected by a Trusted Platform Module (TPM) to a remote service. After the device successfully boots, boot process measurement data is sent to a trusted cloud service (Health Attestation Service) using a more secure and tamper-resistant communication channel. @@ -118,7 +118,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik Windows 10 uses security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation. - A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other: + A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that aren't compatible with each other: - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard. - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015. @@ -149,15 +149,15 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik The most basic protection is the Secure Boot feature, which is a standard part of the UEFI 2.2+ architecture. On a PC with conventional BIOS, anyone who can take control of the boot process can boot by using an alternative OS loader, and potentially gain access to system resources. When Secure Boot is enabled, you can boot using only an OS loader that’s signed using a certificate stored in the UEFI Secure Boot DB. Naturally, the Microsoft certificate used to digitally sign the Windows 10 OS loaders are in that store, which allows UEFI to validate the certificate as part of its security policy. Secure Boot must be enabled by default on all computers that are certified for Windows 10 under the Windows Hardware Compatibility Program. Secure Boot is a UEFI firmware-based feature, which allows for the signing and verification of critical boot files and drivers at boot time. Secure Boot checks signature values of the Windows Boot Manager, BCD store, Windows OS loader file, and other boot critical DLLs at boot time before the system is allowed to fully boot into a usable operating system by using policies that are defined by the OEM at build time. Secure Boot prevents many types of boot-based rootkit, malware, and other security-related attacks against the Windows platform. Secure Boot protects the operating system boot process whether booting from local hard disk, USB, PXE, or DVD, or into full Windows or Windows Recovery Environment (RE). - Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity did not compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. + Secure Boot protects the boot environment of a Windows 10 installation by verifying the signatures of the critical boot components to confirm malicious activity didn't compromise them. Secure Boot protection ends after the Windows kernel file (ntoskrnl.exe) has been loaded. > [!NOTE] > Secure Boot protects the platform until the Windows kernel is loaded. Then protections like ELAM take over. - **Secure Boot configuration policy.** Extends Secure Boot functionality to critical Windows 10 configuration. - Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) cannot be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. - Secure Boot configuration policy does this with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. + Examples of protected configuration information include protecting Disable Execute bit (NX option) or ensuring that the test signing policy (code integrity) can't be enabled. This protective action ensures that the binaries and configuration of the computer can be trusted after the boot process has completed. + Secure Boot configuration policy does this protective action with UEFI policy. These signatures for these policies are signed in the same way that operating system binaries are signed for use with Secure Boot. The Secure Boot configuration policy must be signed by a private key that corresponds to one of the public keys stored in the Key Exchange Key (KEK) list. The Microsoft Certificate Authority (CA) will be present in the KEK list of all Windows certified Secure Boot systems. By default, a policy signed by the Microsoft KEK shall be work on all Secure Boot systems. BootMgr must verify the signature against the KEK list before applying a signed policy. With Windows 10, the default Secure Boot configuration policy is embedded in bootmgr. @@ -165,7 +165,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik - **Early Launch Antimalware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. - Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run very early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. + Traditional antimalware apps don’t start until after the boot drivers have been loaded, which gives a rootkit that is disguised as a driver the opportunity to work. ELAM is a Windows mechanism introduced in a previous version of Windows that allows antimalware software to run early in the boot sequence. Thus, the antimalware component is the first third-party component to run and control the initialization of other boot drivers until the Windows operating system is operational. When the system is started with a complete runtime environment (network access, storage, and so on), then a full-featured antimalware is loaded. ELAM can load a Microsoft or non-Microsoft antimalware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: Examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. @@ -174,8 +174,8 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik The ELAM signed driver is loaded before any other third-party drivers or applications, which allows the antimalware software to detect and block any attempts to tamper with the boot process by trying to load unsigned or untrusted code. - The ELAM driver is a small driver with a small policy database that has a very narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). -- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a completely new enforced security boundary that allows you to protect critical parts of Windows 10. + The ELAM driver is a small driver with a small policy database that has a narrow scope, focused on drivers that are loaded early at system launch. The policy database is stored in a registry hive that is also measured to the TPM, to record the operational parameters of the ELAM driver. An ELAM driver must be signed by Microsoft and the associated certificate must contain the complementary EKU (1.3.6.1.4.1.311.61.4.1). +- **Virtualization-based security (Hyper-V + Secure Kernel).** Virtualization-based security is a new enforced security boundary that allows you to protect critical parts of Windows 10. Virtualization-based security isolates sensitive code like Kernel Mode Code Integrity or sensitive corporate domain credentials from the rest of the Windows operating system. For more information, see [Virtualization-based security](#virtual) section. @@ -183,7 +183,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik When enabled and configured, Windows 10 can start the Hyper-V virtualization-based security services. HVCI helps protect the system core (kernel), privileged drivers, and system defenses, like antimalware solutions, by preventing malware from running early in the boot process, or after startup. - HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code cannot be directly modified. + HVCI uses virtualization-based security to isolate Code Integrity, the only way kernel memory can become executable is through a Code Integrity verification. This dependency on verification means that kernel memory pages can never be Writable and Executable (W+X) and executable code can't be directly modified. > [!NOTE] > Device Guard devices that run Kernel Mode Code Integrity with virtualization-based security must have compatible drivers. For additional information, please read the [Driver compatibility with Device Guard in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=691612) blog post. @@ -199,7 +199,7 @@ Windows 10 supports features to help prevent sophisticated low-level malware lik - **Health attestation.** The device’s firmware logs the boot process, and Windows 10 can send it to a trusted server that can check and assess the device’s health. - Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they are taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and cannot be changed unless the system is reset. + Windows 10 takes measurements of the UEFI firmware and each of the Windows and antimalware components are made as they load during the boot process. Additionally, they're taken and measured sequentially, not all at once. When these measurements are complete, their values are digitally signed and stored securely in the TPM and can't be changed unless the system is reset. For more information, see [Secured Boot and Measured Boot: Hardening Early Boot Components Against Malware](/previous-versions/windows/hardware/design/dn653311(v=vs.85)). @@ -217,7 +217,7 @@ The following Windows 10 services are protected with virtualization-based securi - **Credential Guard** (LSA Credential Isolation): prevents pass-the-hash attacks and enterprise credential theft that happens by reading and dumping the content of lsass memory - **Device Guard** (Hyper-V Code Integrity): Device Guard uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, which lets the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy. In effect, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container. -- **Other isolated services**: for example, on Windows Server 2016, there is the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. +- **Other isolated services**: for example, on Windows Server 2016, there's the vTPM feature that allows you to have encrypted virtual machines (VMs) on servers. > [!NOTE] > Virtualization-based security is only available with Windows 10 Enterprise. Virtualization-based security requires devices with UEFI (2.3.1 or higher) with Secure Boot enabled, x64 processor with Virtualization Extensions and SLAT enabled. IOMMU, TPM 2.0. and support for Secure Memory overwritten are optional, but recommended. @@ -234,18 +234,18 @@ remote machines, which mitigates many PtH-style attacks. Credential Guard helps protect credentials by encrypting them with either a per-boot or persistent key: -- **The per-boot key** is used for any in-memory credentials that do not require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. +- **The per-boot key** is used for any in-memory credentials that don't require persistence. An example of such a credential would be a ticket-granting ticket (TGT) session key. This key is negotiated with a Key Distribution Center (KDC) every time authentication occurs and is protected with a per-boot key. - **The persistent key**, or some derivative, is used to help protect items that are stored and reloaded after a reboot. Such protection is intended for long-term storage, and must be protected with a consistent key. Credential Guard is activated by a registry key and then enabled by using a UEFI variable. This activation is done to protect against remote modifications of the configuration. The use of a UEFI variable implies that physical access is required to change the configuration. When lsass.exe detects that credential isolation is enabled, it then spawns LsaIso.exe as an isolated process, which ensures that it runs within isolated user mode. The startup of LsaIso.exe is performed before initialization of a security support provider, which ensures that the secure mode support routines are ready before any authentication begins. ### Device Guard -Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those that are trusted by the organization. +Device Guard is a new feature of Windows 10 Enterprise that allows organizations to lock down a device to help protect it from running untrusted software. In this configuration, the only applications allowed to run are those applications that are trusted by the organization. The trust decision to execute code is performed by using Hyper-V Code Integrity, which runs in virtualization-based security, a Hyper-V protected container that runs alongside regular Windows. -Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10 kernel-mode drivers must be digitally signed. +Hyper-V Code Integrity is a feature that validates the integrity of a driver or system file each time it's loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with Administrator privileges. On x64-based versions of Windows 10, kernel-mode drivers must be digitally signed. > [!NOTE] > Independently of activation of Device Guard Policy, [Windows 10 by default raises the bar for what runs in the kernel](https://go.microsoft.com/fwlink/p/?LinkId=691613). Windows 10 drivers must be signed by Microsoft, and more specifically, by the WHQL (Windows Hardware Quality Labs) portal. Additionally, starting in October 2015, the WHQL portal will only accept driver submissions, including both kernel and user mode driver submissions, that have a valid Extended Validation (“EV”) Code Signing Certificate. @@ -264,7 +264,7 @@ Device Guard needs to be planned and configured to be truly effective. It isn't There are three different parts that make up the Device Guard solution in Windows 10: - The first part is a base **set of hardware security features** introduced with the previous version of Windows. TPM for hardware cryptographic operations and UEFI with modern firmware, along with Secure Boot, allows you to control what the device is running when the systems start. -- After the hardware security feature, there is the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. +- After the hardware security feature, there's the code integrity engine. In Windows 10, **Code Integrity is now fully configurable** and now resides in Isolated user mode, a part of the memory that is protected by virtualization-based security. - The last part of Device Guard is **manageability**. Code Integrity configuration is exposed through specific Group Policy Objects, PowerShell cmdlets, and MDM configuration service providers (CSPs). For more information on how to deploy Device Guard in an enterprise, see the [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide). @@ -280,9 +280,9 @@ SAWs are computers that are built to help significantly reduce the risk of compr To protect high-value assets, SAWs are used to make secure connections to those assets. -Similarly, on corporate fully-managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. +Similarly, on corporate fully managed workstations, where applications are installed by using a distribution tool like Microsoft Endpoint Configuration Manager, Intune, or any third-party device management, then Device Guard is applicable. In that type of scenario, the organization has a good idea of the software that an average user is running. -It could be challenging to use Device Guard on corporate, lightly-managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. +It could be challenging to use Device Guard on corporate, lightly managed workstations where the user is typically allowed to install software on their own. When an organization offers great flexibility, it’s difficult to run Device Guard in enforcement mode. Nevertheless, Device Guard can be run in Audit mode, and in that case, the event log will contain a record of any binaries that violated the Device Guard policy. When Device Guard is used in Audit mode, organizations can get rich data about drivers and applications that users install and run. Before you can benefit from the protection included in Device Guard, Code Integrity policy must be created by using tools provided by Microsoft, but the policy can be deployed with common management tools, like Group Policy. The Code Integrity policy is a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10, along with restrictions on Windows 10 script hosts. Device Guard Code Integrity policy restricts what code can run on a device. @@ -291,7 +291,7 @@ Before you can benefit from the protection included in Device Guard, Code Integr Signed Device Guard policy offers stronger protection against a malicious local administrator trying to defeat Device Guard. -When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable which offers tampering protection. The only way to update the Device Guard policy subsequently is to provide a new version of the policy signed by the same signer or from a signer specified as part of the +When the policy is signed, the GUID of the policy is stored in a UEFI pre-OS secure variable that offers tampering protection. The only way to update the Device Guard policy later is to provide a new version of the policy signed by the same signer or from a signer specified as part of the Device Guard policy into the UpdateSigner section. ### The importance of signing applications @@ -301,13 +301,13 @@ On computers with Device Guard, Microsoft proposes to move from a world where un With Windows 10, organizations will make line-of-business (LOB) apps available to members of the organization through the Microsoft Store infrastructure. More specifically, LOB apps will be available in a private store within the public Microsoft Store. Microsoft Store signs and distributes Universal Windows apps and Classic Windows apps. All apps downloaded from the Microsoft Store are signed. -In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for a variety of reasons, like the lack of code signing expertise. Even if code signing is a best practice, a lot of internal applications are not signed. +In organizations today, many LOB applications are unsigned. Code signing is frequently viewed as a tough problem to solve for various reasons, like the lack of code signing expertise. Even if code signing is a best practice, many internal applications aren't signed. -Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create additional signatures that can be distributed along with existing applications. +Windows 10 includes tools that allow IT pros to take applications that have been already packaged and run them through a process to create more signatures that can be distributed along with existing applications. ### Why are antimalware and device management solutions still necessary? -Although allow-list mechanisms are efficient at ensuring that only trusted applications can be run, they cannot prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. +Although allowlist mechanisms are efficient at ensuring that only trusted applications can be run, they can't prevent the compromise of a trusted (but vulnerable) application by malicious content designed to exploit a known vulnerability. Device Guard doesn’t protect against user mode malicious code run by exploiting vulnerabilities. Vulnerabilities are weaknesses in software that could allow an attacker to compromise the integrity, availability, or confidentiality of the device. Some of the worst vulnerabilities allow attackers to exploit the compromised device by causing it to run malicious code without the user’s knowledge. @@ -321,7 +321,7 @@ MDM solutions are becoming prevalent as a light-weight device management technol ### Device health attestation -Device health attestation leverages the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. +Device health attestation uses the TPM to provide cryptographically strong and verifiable measurements of the chain of software used to boot the device. For Windows 10-based devices, Microsoft introduces a new public API that will allow MDM software to access a remote attestation service called Windows Health Attestation Service. A health attestation result, in addition with other elements, can be used to allow or deny access to networks, apps, or services, based on whether devices prove to be healthy. @@ -335,21 +335,21 @@ The following table details the hardware requirements for both virtualization-ba |--- |--- | |UEFI 2.3.1 or later firmware with Secure Boot enabled|Required to support UEFI Secure Boot.

    UEFI Secure Boot ensures that the device boots only authorized code.

    Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”| |Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.

    **Note:** Device Guard can be enabled without using virtualization-based security.
    | -|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).

    Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.| +|X64 processor|Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86).

    Direct Memory Access (DMA) protection can be enabled to provide extra memory protection but requires processors to include DMA protection technologies.| |IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.| -|Trusted Platform Module (TPM)|Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| +|Trusted Platform Module (TPM)|Required to support health attestation and necessary for other key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| -This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. +This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach help to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. ## Detect an unhealthy Windows 10-based device -As of today, many organizations only consider devices to be compliant with company policy after they’ve passed a variety of checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. +As of today, many organizations only consider devices to be compliant with company policy after they’ve passed various checks that show, for example, that the operating system is in the correct state, properly configured, and has security protection enabled. Unfortunately, with today’s systems, this form of reporting isn't entirely reliable because malware can spoof a software statement about system health. A rootkit, or a similar low-level exploit, can report a false healthy state to traditional compliance tools. The biggest challenge with rootkits is that they can be undetectable to the client. Because they start before antimalware, and they have system-level privileges, they can completely disguise themselves while continuing to access system resources. As a result, traditional computers infected with rootkits appear to be healthy, even with antimalware running. -As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because, health attestation leverages the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. +As previously discussed, the health attestation feature of Windows 10 uses the TPM hardware component to securely record a measurement of every boot-related component, including firmware, Windows 10 kernel, and even early boot drivers. Because health attestation uses the hardware-based security capabilities of TPM, the log of all boot measured components remains out of the reach of any malware. -By attesting a trusted boot state, devices can prove that they are not running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. +After the devices attest a trusted boot state, they can prove that they aren't running low-level malware that could spoof later compliance checks. TPM-based health attestation provides a reliable anchor of trust for assets that contain high-value data. ### What is the concept of device health? @@ -359,7 +359,7 @@ However, the use of traditional malware prevention technologies like antimalware The definition of device compliance will vary based on an organization’s installed antimalware, device configuration settings, patch management baseline, and other security requirements. But health of the device is part of the overall device compliance policy. -The health of the device isn't binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by leveraging trustworthy hardware TPM. +The health of the device isn't binary and depends on the organization’s security implementation. The Health Attestation Service provides information back to the MDM on which security features are enabled during the boot of the device by using trustworthy hardware TPM. But health attestation only provides information, which is why an MDM solution is needed to take and enforce a decision. @@ -367,7 +367,7 @@ But health attestation only provides information, which is why an MDM solution i In Windows 10, health attestation refers to a feature where Measured Boot data generated during the boot process is sent to a remote device health attestation service operated by Microsoft. -This is the most secure approach available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. +This approach is the most secure one available for Windows 10-based devices to detect when security defenses are down. During the boot process, the TCG log and PCRs' values are sent to a remote Microsoft cloud service. Logs are then checked by the Health Attestation Service to determine what changes have occurred on the device. A relying party like an MDM can inspect the report generated by the remote health attestation service. @@ -378,7 +378,7 @@ Windows 10 supports health attestation scenarios by allowing applications access Remote device health attestation combined with an MDM provides a hardware-rooted method for reporting the current security status and detecting any changes, without having to trust the software running on the system. -In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. That's why it's important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. +In the case where malicious code is running on the device, the use of a remote server is required. If a rootkit is present on the device, the antimalware is no longer reliable, and its behavior can be hijacked by a malicious code running early in the startup sequence. This reason is what makes it important to use Secure Boot and Device Guard, to control which code is loaded during the boot sequence. The antimalware software can search to determine whether the boot sequence contains any signs of malware, such as a rootkit. It can also send the TCG log and the PCRs to a remote health attestation server to provide a separation between the measurement component and the verification component. @@ -386,7 +386,7 @@ Health attestation logs the measurements in various TPM Platform Configuration R :::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png"::: -When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. +When you start a device equipped with TPM, a measurement of different components is performed. These components include firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log. :::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png"::: @@ -398,7 +398,7 @@ The health attestation process works as follows: 4. Windows kernel is measured. 5. Antivirus software is started as the first kernel mode driver. 6. Boot start drivers are measured. -7. MDM server through the MDM agent issues a health check command by leveraging the Health Attestation CSP. +7. MDM server through the MDM agent issues a health check command by using the Health Attestation CSP. 8. Boot measurements are validated by the Health Attestation Service > [!NOTE] @@ -432,7 +432,7 @@ In a simplified manner, the TPM is a passive component with limited resources. I A TPM incorporates in a single component: -- A RSA 2048-bit key generator +- An RSA 2048-bit key generator - A random number generator - Nonvolatile memory for storing EK, SRK, and AIK keys - A cryptographic engine to encrypt, decrypt, and sign @@ -442,7 +442,7 @@ A TPM incorporates in a single component: The TPM has an embedded unique cryptographic key called the endorsement key. The TPM endorsement key is a pair of asymmetric keys (RSA size 2048 bits). -The endorsement key public key is generally used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. +The endorsement key public key is used for sending securely sensitive parameters, such as when taking possession of the TPM that contains the defining hash of the owner password. The EK private key is used when creating secondary keys like AIKs. The endorsement key acts as an identity card for the TPM. For more information, see [Understand the TPM endorsement key](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770443(v=ws.11)). @@ -467,16 +467,16 @@ Because the endorsement certificate is unique for each device and doesn't change The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations. -Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft +Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft is hosting a cloud service called Microsoft Cloud CA to establish cryptographically that it's communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10-based device. -Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this isn't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. +Many existing devices that will upgrade to Windows 10 won't have a TPM, or the TPM won't contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates aren't issued by Microsoft Cloud CA. These certificates aren't as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM. -In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate. +In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be used by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that isn't backed by an endorsement certificate. ### Storage root key -The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048 bits length). The SRK has a major role and is used to protect TPM keys, so that these keys cannot be used without the TPM. The SRK key is created when the ownership of the TPM is taken. +The storage root key (SRK) is also an asymmetric key pair (RSA with a minimum of 2048-bits length). The SRK has a major role and is used to protect TPM keys, so that these keys can't be used without the TPM. The SRK key is created when the ownership of the TPM is taken. ### Platform Configuration Registers @@ -484,19 +484,19 @@ The TPM contains a set of registers that are designed to provide a cryptographic The measurement of the boot sequence is based on the PCR and TCG log. To establish a static root of trust, when the device is starting, the device must be able to measure the firmware code before execution. In this case, the Core Root of Trust for Measurement (CRTM) is executed from the boot, calculates the hash of the firmware, then stores it by expanding the register PCR\[0\] and transfers execution to the firmware. -PCRs are set to zero when the platform is booted, and it is the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. +PCRs are set to zero when the platform is booted, and it's the job of the firmware that boots the platform to measure components in the boot chain and to record the measurements in the PCRs. Typically, boot components take the hash of the next component that is to be run and record the measurements in the PCRs. The initial component that starts the measurement chain is implicitly trusted. This component is the CRTM. Platform manufacturers are required to have a secure update process for the CRTM or not permit updates to it. The PCRs record a cumulative hash of the components that have been measured. -The value of a PCR on its own is hard to interpret (it is just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log hasn't been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. +The value of a PCR on its own is hard to interpret (it's just a hash value), but platforms typically keep a log with details of what has been measured, and the PCRs merely ensure that the log hasn't been tampered with. The logs are referred as a TCG log. Each time a register PCR is extended, an entry is added to the TCG log. Thus, throughout the boot process, a trace of the executable code and configuration data is created in the TCG log. ### TPM provisioning -For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs somewhat based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. +For the TPM of a Windows 10-based device to be usable, it must first be provisioned. The process of provisioning differs based on TPM versions, but, when successful, it results in the TPM being usable and the owner authorization data (ownerAuth) for the TPM being stored locally on the registry. When the TPM is provisioned, Windows 10 will first attempt to determine the EK and locally stored **ownerAuth** values by looking in the registry at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Endorsement** During the provisioning process, the device may need to be restarted. -Note that the **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. +The **Get-TpmEndorsementKeyInfo PowerShell** cmdlet can be used with administrative privilege to get information about the endorsement key and certificates of the TPM. If the TPM ownership isn't known but the EK exists, the client library will provision the TPM and will store the resulting **ownerAuth** value into the registry if the policy allows it will store the SRK public portion at the following location: **HKLM\\SYSTEM\\CurrentControlSet\\Services\\TPM\\WMI\\Admin\\SRKPub** @@ -510,16 +510,16 @@ As part of the provisioning process, Windows 10 will create an AIK with the TPM. Windows 10 contains a configuration service provider (CSP) specialized for interacting with the health attestation feature. A CSP is a component that plugs into the Windows MDM client and provides a published protocol for how MDM servers can configure settings and manage Windows-based devices. The management protocol is represented as a tree structure that can be specified as URIs with functions to perform on the URIs such as “get”, “set”, “delete”, and so on. -The following is a list of functions performed by the Windows 10 Health Attestation CSP: +The following list is that of the functions performed by the Windows 10 Health Attestation CSP: - Collects data that is used to verify a device’s health status - Forwards the data to the Health Attestation Service - Provisions the Health Attestation Certificate that it receives from the Health Attestation Service - Upon request, forwards the Health Attestation Certificate (received from the Health Attestation Service) and related runtime information to the MDM server for verification -During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. +During a health attestation session, the Health Attestation CSP forwards the TCG logs and PCRs' values that are measured during the boot, by using a secure communication channel to the Health Attestation Service. -When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device did not reboot between the time that it attested its health and the time that the MDM server validated it. +When an MDM server validates that a device has attested to the Health Attestation Service, it will be given a set of statements and claims about how that device booted, with the assurance that the device didn't reboot between the time that it attested its health and the time that the MDM server validated it. ### Windows Health Attestation Service @@ -530,8 +530,8 @@ The role of Windows Health Attestation Service is essentially to evaluate a set Checking that a TPM attestation and the associated log are valid takes several steps: -1. First, the server must check that the reports are signed by **trustworthy AIKs**. This might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. -2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it is a **valid signature over PCR values**. +1. First, the server must check that the reports are signed by **trustworthy AIKs**. This verification might be done by checking that the public part of the AIK is listed in a database of assets, or perhaps that a certificate has been checked. +2. After the key has been checked, the signed attestation (a quote structure) should be checked to see whether it's a **valid signature over PCR values**. 3. Next the logs should be checked to ensure that they match the PCR values reported. 4. Finally, the logs themselves should be examined by an MDM solution to see whether they represent **known or valid security configurations**. For example, a simple check might be to see whether the measured early OS components are known to be good, that the ELAM driver is as expected, and that the ELAM driver policy file is up to date. If all of these checks succeed, an attestation statement can be issued that later can be used to determine whether or not the client should be granted access to a resource. @@ -554,15 +554,15 @@ The following table presents some key items that can be reported back to MDM dep |--- |--- | |Windows 10 for desktop editions|

  • PCR0 measurement
  • Secure Boot Enabled
  • Secure Boot db matches Expected
  • Secure Boot dbx is up to date
  • Secure Boot policy GUID matches Expected
  • BitLocker enabled
  • Virtualization-based security enabled
  • ELAM was loaded
  • Code Integrity version is up to date
  • Code Integrity policy hash matches Expected| -### Leverage MDM and the Health Attestation Service +### Use MDM and the Health Attestation Service To make device health relevant, the MDM solution evaluates the device health report and is configured to the organization’s device health requirements. -A solution that leverages MDM and the Health Attestation Service consists of three main parts: +A solution that uses MDM and the Health Attestation Service consists of three main parts: -1. A device with health attestation enabled. This will usually be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). -2. After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. -3. At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. +1. A device with health attestation enabled. This enablement will be done as a part of enrollment with an MDM provider (health attestation will be disabled by default). +2. After this service is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return. +3. At any point after this cycle, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested. :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png"::: @@ -587,14 +587,14 @@ Interaction between a Windows 10-based device, the Health Attestation Service, a > [!NOTE] > The MDM server (relying party) never performs the quote or boot counter validation itself. It gets the quoted data and the health blob (which is encrypted) and sends the data to the Health Attestation Service for validation. This way, the AIK is never visible to the MDM, which thereby addresses privacy concerns. -Setting the requirements for device compliance is the first step to ensure that registered devices that do not meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. +Setting the requirements for device compliance is the first step to ensure that registered devices that don't meet health and compliance requirements are detected, tracked, and have actions enforced by the MDM solution. Devices that attempt to connect to resources must have their health evaluated so that unhealthy and noncompliant devices can be detected and reported. To be fully efficient, an end-to-end security solution must impose a consequence for unhealthy devices like refusing access to high-value assets. -That is the purpose of conditional access control, which is detailed in the next section. +That consequence for an unhealthy device is the purpose of conditional access control, which is detailed in the next section. ## Control the security of a Windows 10-based device before access is granted -Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know very little about. Perhaps there is some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? +Today’s access control technology, in most cases, focuses on ensuring that the right people get access to the right resources. If users can authenticate, they get access to resources using a device that the organization’s IT staff and systems know little about. Perhaps there's some check such as ensuring that a device is encrypted before giving access to email, but what if the device is infected with malware? The remote device health attestation process uses measured boot data to verify the health status of the device. The health of the device is then available for an MDM solution like Intune. @@ -605,18 +605,18 @@ The figure below shows how the Health Attestation Service is expected to work wi :::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png"::: -An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the +An MDM solution can then use health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the firewall is running, and the devices patch state is compliant. Finally, resources can be protected by denying access to endpoints that are unable to prove they’re healthy. This feature is much needed for BYOD devices that need to access organizational resources. ### Built-in support of MDM in Windows 10 -Windows 10 has an MDM client that ships as part of the operating system. This enables MDM servers to manage Windows 10-based devices without requiring a separate agent. +Windows 10 has an MDM client that ships as part of the operating system. This MDM client enables MDM servers to manage Windows 10-based devices without requiring a separate agent. ### Third-party MDM server support -Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For additional information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). +Third-party MDM servers can manage Windows 10 by using the MDM protocol. The built-in management client is able to communicate with a compatible server that supports the OMA-DM protocol to perform enterprise management tasks. For more information, see [Azure Active Directory integration with MDM](/windows/client-management/mdm/azure-active-directory-integration-with-mdm). > [!NOTE] > MDM servers do not need to create or download a client to manage Windows 10. For more information, see [Mobile device management](/windows/client-management/mdm/). @@ -625,7 +625,7 @@ The third-party MDM server will have the same consistent first-party user experi ### Management of Windows Defender by third-party MDM -This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they are familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. +This management infrastructure makes it possible for IT pros to use MDM-capable products like Intune, to manage health attestation, Device Guard, or Windows Defender on Windows 10-based devices, including BYODs that aren’t domain joined. IT pros will be able to manage and configure all of the actions and settings they're familiar with customizing by using Intune with Intune Endpoint Protection on down-level operating systems. Admins that currently only manage domain joined devices through Group Policy will find it easy to transition to managing Windows 10-based devices by using MDM because many of the settings and actions are shared across both mechanisms. For more information on how to manage Windows 10 security and system settings with an MDM solution, see [Custom URI settings for Windows 10 devices](/mem/intune/configuration/custom-settings-windows-10). @@ -641,10 +641,10 @@ If the device isn't registered, the user will get a message with instructions on ### Office 365 conditional access control -Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include additional +Azure AD enforces conditional access policies to secure access to Office 365 services. A tenant admin can create a conditional access policy that blocks a user on a non-compliant device from accessing an Office 365 service. The user must conform to the company’s device policies before access can be granted to the service. Alternately, the admin can also create a policy that requires users to just enroll their devices to gain access to an Office 365 service. Policies may be applied to all users of an organization, or limited to a few target groups and enhanced over time to include more target groups. -When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that do not have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. +When a user requests access to an Office 365 service from a supported device platform, Azure AD authenticates the user and device from which the user launches the request; and grants access to the service only when the user conforms to the policy set for the service. Users that don't have their device enrolled are given remediation instructions on how to enroll and become compliant to access corporate Office 365 services. When a user enrolls, the device is registered with Azure AD, and enrolled with a compatible MDM solution like Intune. @@ -676,9 +676,9 @@ To get to a compliant state, the Windows 10-based device needs to: ### Cloud and on-premises apps conditional access control -Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's logon to make real-time decisions about which applications they should be allowed to access. +Conditional access control is a powerful policy evaluation engine built into Azure AD. It gives IT pros an easy way to create access rules beyond Office 365 that evaluate the context of a user's sign in to make real-time decisions about which applications they should be allowed to access. -IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD leverage the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. +IT pros can configure conditional access control policies for cloud SaaS applications secured by Azure AD and even on-premises applications. Access rules in Azure AD use the conditional access engine to check device health and compliance state reported by a compatible MDM solution like Intune in order to determine whether to allow access. For more information about conditional access, see [Azure Conditional Access Preview for SaaS Apps.](/azure/active-directory/authentication/tutorial-enable-azure-mfa) @@ -694,14 +694,14 @@ For on-premises applications there are two options to enable conditional access The following process describes how Azure AD conditional access works: -1. User has already enrolled with MDM through Workplace Access/Azure AD join which registers device with Azure AD. +1. User has already enrolled with MDM through Workplace Access/Azure AD join, which registers device with Azure AD. 2. When the device boots or resumes from hibernate, a task “Tpm-HASCertRetr” is triggered to request in background a health attestation blob. Device sends TPM boot measurements to the Health Attestation Service. 3. Health Attestation Service validates device state and issues an encrypted blob to the device based on the health state with details on failed checks (if any). 4. User logs on and the MDM agent contacts the Intune/MDM server. 5. MDM server pushes down new policies if available and queries health blob state and other inventory state. 6. Device sends a health attestation blob previously acquired and also the value of the other state inventory requested by the Intune/MDM server. 7. Intune/MDM server sends the health attestation blob to Health Attestation Service to be validated. -8. Health Attestation Service validates that the device which sent the health attestation blob is healthy, and returns this result to Intune/MDM server. +8. Health Attestation Service validates that the device that sent the health attestation blob is healthy, and returns this result to Intune/MDM server. 9. Intune/MDM server evaluates compliance based on the compliance and the queried inventory/health attestation state from device. 10. Intune/MDM server updates compliance state against device object in Azure AD. 11. User opens app, attempts to access a corporate managed asset. @@ -711,11 +711,11 @@ The following process describes how Azure AD conditional access works: For more information about Azure AD join, see [Azure AD & Windows 10: Better Together for Work or School](https://go.microsoft.com/fwlink/p/?LinkId=691619), a white paper. -Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are very powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. +Conditional access control is a topic that many organizations and IT pros may not know and they should. The different attributes that describe a user, a device, compliance, and context of access are powerful when used with a conditional access engine. Conditional access control is an essential step that helps organizations secure their environment. ## Takeaways and summary -The following list contains high-level key take-aways to improve the security posture of any organization. However, the few take-aways presented in this section should not be interpreted as an exhaustive list of security best practices. +The following list contains high-level key takeaways to improve the security posture of any organization. However, the few takeaways presented in this section shouldn't be interpreted as an exhaustive list of security best practices. - **Understand that no solution is 100 percent secure** @@ -735,7 +735,7 @@ The following list contains high-level key take-aways to improve the security po - **Sign Device Guard policy** - Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard subsequently is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. + Signed Device Guard policy helps protect against a user with administrator privileges trying to defeat the current policy. When a policy is signed, the only way to modify Device Guard later is to provide a new version of the policy signed by the same signer or from a signer specify as part of the Device Guard policy. - **Use virtualization-based security** @@ -751,11 +751,11 @@ The following list contains high-level key take-aways to improve the security po - **Use AppLocker when it makes sense** - Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows apps for a specific user or a group of users. + Although AppLocker isn't considered a new Device Guard feature, it complements Device Guard functionality for some scenarios like being able to deny a specific Universal Windows application for a specific user or a group of users. - **Lock down firmware and configuration** - After Windows 10 is installed, lock down firmware boot options access. This prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. + After Windows 10 is installed, lock down firmware boot options access. This lockdown prevents a user with physical access from modifying UEFI settings, disabling Secure Boot, or booting other operating systems. Also, in order to protect against an administrator trying to disable Device Guard, add a rule in the current Device Guard policy that will deny and block execution of the **C:\\Windows\\System32\\SecConfig.efi** tool. Health attestation is a key feature of Windows 10 that includes client and cloud components to control access to high-value assets based on a user and their device’s identity and compliance with corporate governance policy. Organizations can choose to detect and report unhealthy devices, or to configure health enforcement rules based on their needs. Health attestation provides an end-to-end security model and integration points, which vendors and software developers can use to build and integrate a customized solution. diff --git a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md index da17209420..1948922041 100644 --- a/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/access-this-computer-from-the-network.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by a number of network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). +The **Access this computer from the network** policy setting determines which users can connect to the device from the network. This capability is required by many network protocols, including Server Message Block (SMB)-based protocols, NetBIOS, Common Internet File System (CIFS), and Component Object Model Plus (COM+). Users, devices, and service accounts gain or lose the **Access this computer from network** user right by being explicitly or implicitly added or removed from a security group that has been granted this user right. For example, a user account or a machine account may be explicitly added to a custom security group or a built-in security group, or it may be implicitly added by Windows to a computed security group such as Domain Users, Authenticated Users, or Enterprise Domain Controllers. By default, user accounts and machine accounts are granted the **Access this computer from network** user right when computed groups such as Authenticated Users, and for domain controllers, the Enterprise Domain Controllers group, are defined in the default domain controllers Group Policy Object (GPO). @@ -47,7 +47,7 @@ Constant: SeNetworkLogonRight - On desktop devices or member servers, grant this right only to users and administrators. - On domain controllers, grant this right only to authenticated users, enterprise domain controllers, and administrators. - On failover clusters, make sure this right is granted to authenticated users. -- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you have verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. +- This setting includes the **Everyone** group to ensure backward compatibility. Upon Windows upgrade, after you've verified that all users and groups are correctly migrated, you should remove the **Everyone** group and use the **Authenticated Users** group instead. ### Location @@ -68,13 +68,13 @@ The following table lists the actual and effective default policy values for the ## Policy management -When modifying this user right, the following actions might cause users and services to experience network access issues: +When you modify this user right, the following actions might cause users and services to experience network access issues: - Removing the Enterprise Domain Controllers security group - Removing the Authenticated Users group or an explicit group that allows users, computers, and service accounts the user right to connect to computers over the network - Removing all user and machine accounts -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -95,20 +95,20 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 do not include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device. +Users who can connect from their device to the network can access resources on target devices for which they have permission. For example, the **Access this computer from the network** user right is required for users to connect to shared printers and folders. If this user right is assigned to the **Everyone** group, anyone in the group can read the files in those shared folders. This situation is unlikely because the groups created by a default installation of at least Windows Server 2008 R2 or Windows 7 don't include the **Everyone** group. However, if a device is upgraded and the original device includes the **Everyone** group as part of its defined users and groups, that group is transitioned as part of the upgrade process and is present on the device. ### Countermeasure -Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who log on to the domain can access resources that are shared +Restrict the **Access this computer from the network** user right to only those users and groups who require access to the computer. For example, if you configure this policy setting to the **Administrators** and **Users** groups, users who sign in to the domain can access resources that are shared from servers in the domain if members of the **Domain Users** group are included in the local **Users** group. > **Note** If you are using IPsec to help secure network communications in your organization, ensure that a group that includes machine accounts is given this right. This right is required for successful computer authentication. Assigning this right to **Authenticated Users** or **Domain Computers** meets this requirement. ### Potential impact -If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can log on to the domain or use network resources. If you remove this user right on member servers, users cannot connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to additional accounts that are required by those components. It is important to verify that authorized users are assigned this user right for the devices that they need to access the network. +If you remove the **Access this computer from the network** user right on domain controllers for all users, no one can sign in to the domain or use network resources. If you remove this user right on member servers, users can't connect to those servers through the network. If you have installed optional components such as ASP.NET or Internet Information Services (IIS), you may need to assign this user right to other accounts that are required by those components. It's important to verify that authorized users are assigned this user right for the devices that they need to access the network. -If running Windows Server or Azure Stack HCI Failover Clustering, do not remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR is not a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service will not have sufficient rights to function or start properly. +If running Windows Server or Azure Stack HCI Failover Clustering, don't remove Authenticated Users from the Access this computer from the network policy setting. Doing so may induce an unexpected production outage. This outage is due to the local user account CLIUSR that is used to run the cluster service. CLIUSR isn't a member of the local Administrators group and if the Authenticated Users group is removed, the cluster service won't have sufficient rights to function or start properly. ## Related topics [User Rights Assignment](user-rights-assignment.md) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md index 5111f06fe9..3aff3ac62f 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-duration.md @@ -37,7 +37,7 @@ This policy setting is dependent on the **Account lockout threshold** policy set If [Account lockout threshold](account-lockout-threshold.md) is configured, after the specified number of failed attempts, the account will be locked out. If the **Account lockout duration** is set to 0, the account will remain locked until an administrator unlocks it manually. -It is advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0. +It's advisable to set **Account lockout duration** to approximately 15 minutes. To specify that the account will never be locked out, set the **Account lockout threshold** value to 0. ### Location @@ -58,11 +58,11 @@ The following table lists the actual and effective default policy values. Defaul ## Security considerations -More than a few unsuccessful password submissions during an attempt to log on to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track logon attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached. +More than a few unsuccessful password submissions during an attempt to sign in to a computer might represent an attacker's attempts to determine an account password by trial and error. The Windows and Windows Server operating systems can track sign-in attempts, and you can configure the operating system to disable the account for a preset period of time after a specified number of failed attempts. Account lockout policy settings control the threshold for this response and what action to take after the threshold is reached. ### Vulnerability -A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to log on with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually. +A denial-of-service (DoS) condition can be created if an attacker abuses the [Account lockout threshold](account-lockout-threshold.md) policy setting and repeatedly attempts to sign in with a specific account. After you configure the Account lockout threshold policy setting, the account will be locked out after the specified number of failed attempts. If you configure the **Account lockout duration** policy setting to 0, the account remains locked until you unlock it manually. ### Countermeasure @@ -70,7 +70,7 @@ Configure the **Account lockout duration** policy setting to an appropriate valu ### Potential impact -Configuring the **Account lockout duration** policy setting to 0 so that accounts cannot be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake. +Configuring the **Account lockout duration** policy setting to 0 so that accounts can't be automatically unlocked can increase the number of requests that your organization's Help Desk receives to unlock accounts that were locked by mistake. ## Related topics diff --git a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md index f1ca17ad61..1a2434ffeb 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md @@ -54,7 +54,7 @@ The Security Compliance Toolkit consists of: - GPO to Policy Rules -You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more details about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/). +You can [download the tools](https://www.microsoft.com/download/details.aspx?id=55319) along with the baselines for the relevant Windows versions. For more information about security baseline recommendations, see the [Microsoft Security Guidance blog](/archive/blogs/secguide/). ## What is the Policy Analyzer tool? @@ -64,7 +64,7 @@ The Policy Analyzer is a utility for analyzing and comparing sets of Group Polic - Compare GPOs against current local policy and local registry settings - Export results to a Microsoft Excel spreadsheet -Policy Analyzer lets you treat a set of GPOs as a single unit. This makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. +Policy Analyzer lets you treat a set of GPOs as a single unit. This treatment makes it easy to determine whether particular settings are duplicated across the GPOs or are set to conflicting values. Policy Analyzer also lets you capture a baseline and then compare it to a snapshot taken at a later time to identify changes anywhere across the set. More information on the Policy Analyzer tool can be found on the [Microsoft Security Guidance blog](/archive/blogs/secguide/new-tool-policy-analyzer) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). @@ -72,7 +72,7 @@ More information on the Policy Analyzer tool can be found on the [Microsoft Secu LGPO.exe is a command-line utility that is designed to help automate management of Local Group Policy. Using local policy gives administrators a simple way to verify the effects of Group Policy settings, and is also useful for managing non-domain-joined systems. -LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, as well as from formatted “LGPO text” files. +LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files, security templates, Advanced Auditing backup files, and from formatted “LGPO text” files. It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. From b58faec4dd9f663a57168b7be26263ec34be6bfc Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Wed, 22 Jun 2022 18:41:54 +0530 Subject: [PATCH 04/77] Acrolinx Enhancement Effort --- .../account-lockout-threshold.md | 26 +++++++++---------- .../account-policies.md | 2 +- .../accounts-administrator-account-status.md | 22 ++++++++-------- .../accounts-block-microsoft-accounts.md | 22 ++++++++-------- .../accounts-guest-account-status.md | 10 +++---- ...f-blank-passwords-to-console-logon-only.md | 18 ++++++------- .../accounts-rename-administrator-account.md | 10 +++---- .../accounts-rename-guest-account.md | 6 ++--- .../act-as-part-of-the-operating-system.md | 12 ++++----- .../add-workstations-to-domain.md | 16 ++++++------ 10 files changed, 72 insertions(+), 72 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md index fdbdef8e1e..7140cd3752 100644 --- a/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/account-lockout-threshold.md @@ -27,26 +27,26 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account cannot be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md). +The **Account lockout threshold** policy setting determines the number of failed sign-in attempts that will cause a user account to be locked. A locked account can't be used until you reset it or until the number of minutes specified by the [Account lockout duration](account-lockout-duration.md) policy setting expires. You can set a value from 1 through 999 failed sign-in attempts, or you can specify that the account will never be locked by setting the value to 0. If **Account lockout threshold** is set to a number greater than zero, **Account lockout duration** must be greater than or equal to the value of [Reset account lockout counter after](reset-account-lockout-counter-after.md). Brute force password attacks can be automated to try thousands or even millions of password combinations for any or all user accounts. Limiting the number of failed sign-ins that can be performed nearly eliminates the effectiveness of such attacks. -However, it is important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. +However, it's important to note that a denial-of-service (DoS) attack could be performed on a domain that has an account lockout threshold configured. A malicious user could programmatically attempt a series of password attacks against all users in the organization. If the number of attempts is greater than the value of **Account lockout threshold**, the attacker could potentially lock every account. Failed attempts to unlock a workstation can cause account lockout even if the [Interactive logon: Require Domain Controller authentication to unlock workstation](interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md) security option is disabled. Windows doesn’t need to contact a domain controller for an unlock if you enter the same password that you logged on with, but if you enter a different password, Windows has to contact a domain controller in case you had changed your password from another machine. ### Possible values -It is possible to configure the following values for the **Account lockout threshold** policy setting: +It's possible to configure the following values for the **Account lockout threshold** policy setting: - A user-defined number from 0 through 999 - Not defined -Because vulnerabilities can exist when this value is configured and when it is not, organizations should weigh their identified threats and the risks that they are trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. +Because vulnerabilities can exist when this value is configured and when it's not, organizations should weigh their identified threats and the risks that they're trying to mitigate. For information these settings, see [Countermeasure](#bkmk-countermeasure) in this article. ### Best practices The threshold that you select is a balance between operational efficiency and security, and it depends on your organization's risk level. To allow for user error and to thwart brute force attacks, [Windows security baselines](../windows-security-baselines.md) recommend a value of 10 could be an acceptable starting point for your organization. -As with other account lockout settings, this value is more of a guideline than a rule or best practice because there is no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). +As with other account lockout settings, this value is more of a guideline than a rule or best practice because there's no "one size fits all." For more information, see [Configuring Account Lockout](/archive/blogs/secguide/configuring-account-lockout). Implementation of this policy setting is dependent on your operational environment; threat vectors, deployed operating systems, and deployed apps. For more information, see [Implementation considerations](#bkmk-impleconsiderations) in this article. @@ -73,7 +73,7 @@ This section describes features and tools that are available to help you manage ### Restart requirements -None. Changes to this policy setting become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy setting become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Implementation considerations @@ -81,7 +81,7 @@ Implementation of this policy setting depends on your operational environment. C - The likelihood of an account theft or a DoS attack is based on the security design for your systems and environment. Set the account lockout threshold in consideration of the known and perceived risk of those threats. -- When negotiating encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. +- When there's a negotiation of encryption types between clients, servers, and domain controllers, the Kerberos protocol can automatically retry account sign-in attempts that count toward the threshold limits that you set in this policy setting. In environments where different versions of the operating system are deployed, encryption type negotiation increases. - Not all apps that are used in your environment effectively manage how many times a user can attempt to sign in. For instance, if a connection drops repeatedly when a user is running the app, all subsequent failed sign-in attempts count toward the account lockout threshold. @@ -105,24 +105,24 @@ However, a DoS attack could be performed on a domain that has an account lockout ### Countermeasure -Because vulnerabilities can exist when this value is configured and when it is not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: +Because vulnerabilities can exist when this value is configured and when it's not configured, two distinct countermeasures are defined. Organizations should weigh the choice between the two, based on their identified threats and the risks that they want to mitigate. The two countermeasure options are: -- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts will not be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users cannot accidentally lock themselves out of their accounts. Because it does not prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: +- Configure the **Account lockout threshold** setting to 0. This configuration ensures that accounts won't be locked, and it will prevent a DoS attack that intentionally attempts to lock accounts. This configuration also helps reduce Help Desk calls because users can't accidentally lock themselves out of their accounts. Because it doesn't prevent a brute force attack, this configuration should be chosen only if both of the following criteria are explicitly met: - The password policy setting requires all users to have complex passwords of eight or more characters. - A robust audit mechanism is in place to alert administrators when a series of failed sign-ins occurs in the environment. - Configure the **Account lockout threshold** policy setting to a sufficiently high value to provide users with the ability to accidentally mistype their password several times before the account is locked, but ensure that a brute force password attack still locks the account. - [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but does not prevent a DoS attack. + [Windows security baselines](../windows-security-baselines.md) recommend configuring a threshold of 10 invalid sign-in attempts, which prevents accidental account lockouts and reduces the number of Help Desk calls, but doesn't prevent a DoS attack. - Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it is needed to help mitigate massive lockouts caused by an attack on your systems. + Using this type of policy must be accompanied by a process to unlock locked accounts. It must be possible to implement this policy whenever it's needed to help mitigate massive lockouts caused by an attack on your systems. ### Potential impact -If this policy setting is enabled, a locked account is not usable until it is reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate a number of additional Help Desk calls. +If this policy setting is enabled, a locked account isn't usable until it's reset by an administrator or until the account lockout duration expires. Enabling this setting will likely generate many more Help Desk calls. -If you configure the **Account lockout threshold** policy setting to 0, there is a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place. +If you configure the **Account lockout threshold** policy setting to 0, there's a possibility that a malicious user's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism isn't in place. If you configure this policy setting to a number greater than 0, an attacker can easily lock any accounts for which the account name is known. This situation is especially dangerous considering that no credentials other than access to the network are necessary to lock the accounts. diff --git a/windows/security/threat-protection/security-policy-settings/account-policies.md b/windows/security/threat-protection/security-policy-settings/account-policies.md index d3f03a9e97..6fe7c4fe77 100644 --- a/windows/security/threat-protection/security-policy-settings/account-policies.md +++ b/windows/security/threat-protection/security-policy-settings/account-policies.md @@ -29,7 +29,7 @@ All account policies settings applied by using Group Policy are applied at the d > [!NOTE] > Each domain can have only one account policy. The account policy must be defined in the default domain policy or in a new policy that is linked to the root of the domain and given precedence over the default domain policy, which is enforced by the domain controllers in the domain. These domain-wide account policy settings (Password Policy, Account Lockout Policy, and Kerberos Policy) are enforced by the domain controllers in the domain; therefore, domain controllers always retrieve the values of these account policy settings from the default domain policy Group Policy Object (GPO). -The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users log on to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where neither an OU account policy nor a domain policy applies. +The only exception is when another account policy is defined for an organizational unit (OU). The account policy settings for the OU affect the local policy on any computers that are contained in the OU. For example, if an OU policy defines a maximum password age that differs from the domain-level account policy, the OU policy will be applied and enforced only when users sign in to the local computer. The default local computer policies apply only to computers that are in a workgroup or in a domain where both an OU account policy and a domain policy don't apply. ## In this section diff --git a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md index 132ecaa9be..09a0d041d9 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-administrator-account-status.md @@ -37,7 +37,7 @@ The following conditions prevent disabling the Administrator account, even if th 1. Disabled 2. Listed in the [Deny log on locally](deny-log-on-locally.md) User Rights Assignment -If the Administrator account is disabled, you cannot enable it if the password does not meet requirements. In this case, another member of the Administrators group must reset the password. +If the Administrator account is disabled, you can't enable it if the password doesn't meet requirements. In this case, another member of the Administrators group must reset the password. ### Possible values - Enabled @@ -48,7 +48,7 @@ By default, this setting is **Not defined** on domain controllers and **Enabled* ### Best practices -- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there is no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status. +- Disabling the administrator account can become a maintenance issue under certain circumstances. For example, in a domain environment, if the secure channel that constitutes your connection fails for any reason, and there's no other local administrator account, you must restart the computer in safe mode to fix the problem that broke your connection status. ### Location @@ -73,16 +73,16 @@ The following table lists the actual and effective default values for this polic Disabling the administrator account can become a maintenance issue under certain circumstances. Reasons that an organization might consider disabling the built-in administrator account include: - For some organizations, periodically changing the passwords for local accounts can be a daunting management challenge. -- By default, the administrator account cannot be locked—no matter how many failed attempts to sign in a user accrues. This makes it a prime target for brute-force, password-guessing attacks. -- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID. +- By default, the administrator account can't be locked—no matter how many failed attempts to sign in a user accrue. This open state of the account makes it a prime target for brute-force, password-guessing attacks. +- This account has a well-known security identifier (SID). Some non-Microsoft tools allow you to authenticate over the network by specifying the SID rather than the account name. This authentication approach means that even if you rename the administrator account, a malicious user could start a brute-force attack by using the SID. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Safe mode considerations -When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account is not enabled. +When you start a device in safe mode, the disabled administrator account is enabled only if the computer is non-domain joined and there are no other active local administrator accounts. In this case, you can access the computer by using safe mode with the current administrative credentials. If the computer is joined to a domain, the disabled administrator account isn't enabled. ### How to access a disabled Administrator account @@ -96,17 +96,17 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The built-in administrator account cannot be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum. +The built-in administrator account can't be locked out no matter how many failed logons it accrues, which makes it a prime target for brute-force attacks that attempt to guess passwords. Also, this account has a well-known security identifier (SID), and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in. All other accounts that are members of the Administrator's group have the safeguard of locking out the account if the number of failed logons exceeds its configured maximum. ### Countermeasure -Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account cannot be used in a normal system startup. -If it is very difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack. +Disable the **Accounts: Administrator account status** setting so that the built-in Administrator account can't be used in a normal system startup. +If it's difficult to maintain a regular schedule for periodic password changes for local accounts, you can disable the built-in administrator account instead of relying on regular password changes to protect it from attack. ### Potential impact -Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there is no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail. -If the current administrator password does not meet the password requirements, you cannot enable the administrator account after it is disabled. If this situation occurs, another member of the administrators group must set the password on the administrator account. +Maintenance issues can arise under certain circumstances if you disable the administrator account. For example, if the secure channel between a member computer and the domain controller fails in a domain environment for any reason and there's no other local administrator account, you must restart in safe mode to fix the problem that caused the secure channel to fail. +If the current administrator password doesn't meet the password requirements, you can't enable the administrator account after it's disabled. If this situation occurs, another member of the administrators' group must set the password on the administrator account. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md index d390220428..0712c6d50d 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-block-microsoft-accounts.md @@ -27,27 +27,27 @@ Describes the best practices, location, values, management, and security conside ## Reference -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more details, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). +This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. For more information, see [Microsoft Accounts](../../identity-protection/access-control/microsoft-accounts.md). There are two options if this setting is enabled: -- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). +- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the sign-in screen). However, users can't use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). -- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. +- **Users can’t add or log on with Microsoft accounts** means that users can't add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. -If you disable or do not configure this policy (recommended), users will be able to use Microsoft accounts with Windows. +If you disable or don't configure this policy (recommended), users will be able to use Microsoft accounts with Windows. ### Possible values - This policy is disabled - Users can’t add Microsoft accounts -- Users can’t add or log on with Microsoft accounts +- Users can’t add or sign in with Microsoft accounts -By default, this setting is not defined on domain controllers and disabled on stand-alone servers. +By default, this setting isn't defined on domain controllers and disabled on stand-alone servers. ### Best practices -- By disabling or not configuring this policy setting on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This provides a convenient option for your users. -- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users will not be able to use the **Settings** app to add new connected accounts. +- If this policy setting is disabled or isn't configured on the client computer, users will be able to use their Microsoft account, local account, or domain account for their sign-in session to Windows. It also enables the user to connect a local or domain account to a Microsoft account. This ability to connect provides a convenient option for your users. +- If you need to limit the use of Microsoft accounts in your organization, click the **Users can’t add Microsoft accounts** setting option so that users won't be able to use the **Settings** app to add new connected accounts. ### Location @@ -72,7 +72,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -80,11 +80,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account is not easily distinguishable, auditing and forensics become more difficult. +Although Microsoft accounts are password-protected, they also have the potential of greater exposure outside of the enterprise. Additionally, if the owner of a Microsoft account isn't easily distinguishable, auditing and forensics become more difficult. ### Countermeasure -Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users will not be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. +Require only domain accounts in your enterprise by limiting the use of Microsoft accounts. Click the **Users can’t add Microsoft accounts** setting option so that users won't be able to create new Microsoft accounts on a device, switch a local account to a Microsoft account, or connect a domain account to a Microsoft account. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md index 6f785de269..a08a78b36e 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-guest-account-status.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, and security considerations for ## Reference The **Accounts: Guest account status** policy setting determines whether the Guest account is enabled or disabled. -This account allows unauthenticated network users to gain access to the system by logging on as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This can lead to the exposure or corruption of data. +This account allows unauthenticated network users to gain access to the system by signing in as a Guest with no password. Unauthorized users can access any resources that are accessible to the Guest account over the network. This privilege means that any network shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group will be accessible over the network. This accessibility can lead to the exposure or corruption of data. ### Possible values @@ -38,7 +38,7 @@ This account allows unauthenticated network users to gain access to the system b ### Best practices -Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those performed by the SMB Service—will fail. +Set **Accounts: Guest account status** to Disabled so that the built-in Guest account is no longer usable. All network users will have to authenticate before they can access shared resources on the system. If the Guest account is disabled and [Network access: Sharing and security model for local accounts](network-access-sharing-and-security-model-for-local-accounts.md) is set to **Guest only**, network logons—such as those logons performed by the SMB Service—will fail. ### Location @@ -63,15 +63,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The default Guest account allows unauthenticated network users to log on as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data. +The default Guest account allows unauthenticated network users to sign in as a Guest with no password. These unauthorized users could access any resources that are accessible to the Guest account over the network. This capability means that any shared folders with permissions that allow access to the Guest account, the Guests group, or the Everyone group are accessible over the network, which could lead to the exposure or corruption of data. ### Countermeasure -Disable the **Accounts: Guest account status** setting so that the built-in Guest account cannot be used. +Disable the **Accounts: Guest account status** setting so that the built-in Guest account can't be used. ### Potential impact -All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it is the default setting starting with Windows Vista and Windows Server 2003. +All network users must be authenticated before they can access shared resources. If you disable the Guest account and the **Network Access: Sharing and Security Model** option is set to **Guest Only**, network logons, such as those performed by the Microsoft Network Server (SMB Service), fail. This policy setting should have little impact on most organizations because it's the default setting starting with Windows Vista and Windows Server 2003. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md index b630cc0ce5..cde8f45d22 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md @@ -29,12 +29,12 @@ Describes the best practices, location, values, and security considerations for The **Accounts: Limit local account use of blank passwords to console logon only** policy setting determines whether remote interactive logons by network services such as Remote Desktop Services, Telnet, and File Transfer Protocol (FTP) are allowed for local accounts that have blank passwords. If this policy setting is enabled, a local account must have a nonblank password to be used to perform an interactive or network logon from a remote client. -This policy setting does not affect interactive logons that are performed physically at the console or logons that use domain accounts. It is possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting. -Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to log on to systems. +This policy setting doesn't affect interactive logons that are performed physically at the console or logons that use domain accounts. It's possible for non-Microsoft applications that use remote interactive logons to bypass this policy setting. +Blank passwords are a serious threat to computer security and they should be forbidden through both corporate policy and suitable technical measures. Nevertheless, if a user with the ability to create new accounts creates one that has bypassed your domain-based password policy settings, that account might have a blank password. For example, a user could build a stand-alone system, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the account name can then use accounts with blank passwords to sign in to systems. -Devices that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can log on by using a user account that does not have a password. This is especially important for portable devices. +Devices that aren't in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the device can sign in by using a user account that doesn't have a password. This policy is especially important for portable devices. -If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. +If you apply this security policy to the Everyone group, no one will be able to sign in through Remote Desktop Services. ### Possible values @@ -44,7 +44,7 @@ If you apply this security policy to the Everyone group, no one will be able to ### Best practices -- It is advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled. +- It's advisable to set **Accounts: Limit local account use of blank passwords to console logon only** to Enabled. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -77,7 +77,7 @@ The policy as distributed through the GPO takes precedence over the locally conf ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. Starting with Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to log on. +Blank passwords are a serious threat to computer security, and they should be forbidden through organizational policy and suitable technical measures. From Windows Server 2003, the default settings for Active Directory domains require complex passwords of at least seven characters, and eight characters starting with Windows Server 2008. However, if users with the ability to create new accounts bypass your domain-based password policies, they could create accounts with blank passwords. For example, a user could build a stand-alone computer, create one or more accounts with blank passwords, and then join the computer to the domain. The local accounts with blank passwords would still function. Anyone who knows the name of one of these unprotected accounts could then use it to sign in. ### Countermeasure @@ -93,7 +93,7 @@ Enable the **Accounts: Limit local account use of blank passwords to console log ### Potential impact -None. This is the default configuration. +None. This non-impact behavior is the default configuration. ## Related topics [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md index d865644cf8..4c849e7de5 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account.md @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,7 +70,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -78,9 +78,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation. +The Administrator account exists on all versions Windows 10 for desktop editions. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination. Beginning with Windows Vista, the person who installs the operating system specifies an account that is the first member of the Administrator group and has full rights to configure the computer so this countermeasure is applied by default on new installations. If a device is upgraded from a previous version of Windows, the account with the name administrator is retained with all the rights and privileges that were defined for the account in the previous installation. -The built-in administrator account cannot be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to log on. +The built-in administrator account can't be locked out, regardless of how many times an attacker might use a bad password. This capability makes the administrator account a popular target for brute-force attacks that attempt to guess passwords. The value of this countermeasure is lessened because this account has a well-known SID, and there are non-Microsoft tools that allow authentication by using the SID rather than the account name. Therefore, even if you rename the Administrator account, an attacker could launch a brute-force attack by using the SID to sign in. ### Countermeasure @@ -88,7 +88,7 @@ Specify a new name in the **Accounts: Rename administrator account** setting to ### Potential impact -You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account was not disabled.) +You must provide users who are authorized to use this account with the new account name. (The guidance for this setting assumes that the Administrator account wasn't disabled.) ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md index 7ce4a682bc..1162ff5210 100644 --- a/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md +++ b/windows/security/threat-protection/security-policy-settings/accounts-rename-guest-account.md @@ -62,7 +62,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -70,7 +70,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local device by using the Local Security Policy snap-in. ## Security considerations @@ -83,7 +83,7 @@ or install software that could be used for a later attack on your system. ### Countermeasure -Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it is slightly more difficult for unauthorized persons to guess this privileged user name and password combination. +Specify a new name in the **Accounts: Rename guest account** setting to rename the Guest account. If you rename this account, it's slightly more difficult for unauthorized persons to guess this privileged user name and password combination. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md index 4c794419c1..5850036933 100644 --- a/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md +++ b/windows/security/threat-protection/security-policy-settings/act-as-part-of-the-operating-system.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access is not limited to what is associated with the user by default. The calling process may request that arbitrary additional privileges be added to the access token. The calling process may also build an access token that does not provide a primary identity for auditing in the system event logs. +The **Act as part of the operating system** policy setting determines whether a process can assume the identity of any user and thereby gain access to the resources that the user is authorized to access. Typically, only low-level authentication services require this user right. Potential access isn't limited to what is associated with the user by default. The calling process may request that arbitrary extra privileges be added to the access token. The calling process may also build an access token that doesn't provide a primary identity for auditing in the system event logs. Constant: SeTcbPrivilege ### Possible values @@ -35,8 +35,8 @@ Constant: SeTcbPrivilege - Not defined ### Best practices -- Do not assign this right to any user accounts. Only assign this user right to trusted users. -- If a service requires this user right, configure the service to log on by using the local System account, which inherently includes this user right. Do not create a separate account and assign this user right to it. +- Don't assign this right to any user accounts. Only assign this user right to trusted users. +- If a service requires this user right, configure the service to sign in by using the local System account, which inherently includes this user right. Don't create a separate account and assign this user right to it. ### Location @@ -57,7 +57,7 @@ The following table lists the actual and effective default policy values for the ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -77,11 +77,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The **Act as part of the operating system** user right is extremely powerful. Users with this user right can take complete control of the device and erase evidence of their activities. +The **Act as part of the operating system** user right is powerful. Users with this user right can take complete control of the device and erase evidence of their activities. ### Countermeasure -Restrict the **Act as part of the operating system** user right to as few accounts as possible—it should not even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to log on with the Local System account, which inherently includes this privilege. Do not create a separate account and assign this user right to it. +Restrict the **Act as part of the operating system** user right to as few accounts as possible—it shouldn't even be assigned to the Administrators group under typical circumstances. When a service requires this user right, configure the service to sign in with the Local System account, which inherently includes this privilege. Don't create a separate account and assign this user right to it. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md index 8e6a02b8ef..471d8a40ba 100644 --- a/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md +++ b/windows/security/threat-protection/security-policy-settings/add-workstations-to-domain.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management and security c ## Reference -This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to ten workstations to the domain. +This policy setting determines which users can add a device to a specific domain. For it to take effect, it must be assigned so that it applies to at least one domain controller. A user who is assigned this user right can add up to 10 workstations to the domain. Adding a machine account to the domain allows the device to participate in Active Directory-based networking. Constant: SeMachineAccountPrivilege @@ -47,7 +47,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\User Rights Assignm ### Default values -By default, this setting allows access for Authenticated Users on domain controllers, and it is not defined on stand-alone servers. +By default, this setting allows access for Authenticated Users on domain controllers, and it isn't defined on stand-alone servers. The following table lists the actual and effective default policy values for the most recent supported versions of Windows. Default values are also listed on the policy’s property page. @@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the ## Policy management -Users can also join a computer to a domain if they have the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they have the **Add workstations to domain** user right. +Users can also join a computer to a domain if they've the Create Computer Objects permission for an organizational unit (OU) or for the Computers container in the directory. Users who are assigned this permission can add an unlimited number of devices to the domain regardless of whether they've the **Add workstations to domain** user right. -Furthermore, machine accounts that are created by means of the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created by means of permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. +Furthermore, machine accounts that are created through the **Add workstations to domain** user right have Domain Administrators as the owner of the machine account. Machine accounts that are created through permissions on the computer’s container use the creator as the owner of the machine account. If a user has permissions on the container and also has the **Add workstation to domain** user right, the device is added based on the computer container permissions rather than the user right. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -87,8 +87,8 @@ This policy has the following security considerations: ### Vulnerability -The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization does not want its users to have administrative -privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could log on with that account, and then add a personal domain account to the local Administrators group. +The **Add workstations to domain** user right presents a moderate vulnerability. Users with this right could add a device to the domain that is configured in a way that violates organizational security policies. For example, if your organization doesn't want its users to have administrative +privileges on their devices, users could install Windows on their computers and then add the computers to the domain. The user would know the password for the local administrator account, could sign in with that account, and then add a personal domain account to the local Administrators group. ### Countermeasure @@ -96,7 +96,7 @@ Configure this setting so that only authorized members of the IT team are allowe ### Potential impact -For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It does not affect existing computers unless they are removed from and then added to the domain. +For organizations that have never allowed users to set up their own computers and add them to the domain, this countermeasure has no impact. For those organizations that have allowed some or all users to configure their own devices, this countermeasure forces the organization to establish a formal process for these procedures going forward. It doesn't affect existing computers unless they're removed from and then added to the domain. ## Related topics - [User Rights Assignment](user-rights-assignment.md) From d7e7827aeecb3c94faa309055ce61f61f73b36a9 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 23 Jun 2022 12:23:39 +0530 Subject: [PATCH 05/77] Acrolinx Enhancement Effort --- .../administer-security-policy-settings.md | 73 +++++++++---------- ...-log-on-through-remote-desktop-services.md | 20 ++--- ...the-use-of-backup-and-restore-privilege.md | 4 +- ...policy-subcategory-settings-to-override.md | 8 +- ...iately-if-unable-to-log-security-audits.md | 12 +-- .../bypass-traverse-checking.md | 12 +-- .../change-the-system-time.md | 10 +-- .../create-a-pagefile.md | 6 +- .../create-a-token-object.md | 12 +-- .../create-global-objects.md | 10 +-- .../create-symbolic-links.md | 10 +-- ...criptor-definition-language-sddl-syntax.md | 18 ++--- ...criptor-definition-language-sddl-syntax.md | 18 ++--- ...ccess-to-this-computer-from-the-network.md | 10 +-- .../deny-log-on-as-a-batch-job.md | 3 +- 15 files changed, 112 insertions(+), 114 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md index 297de36841..f60583b08c 100644 --- a/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md +++ b/windows/security/threat-protection/security-policy-settings/administer-security-policy-settings.md @@ -28,7 +28,7 @@ This article discusses different methods to administer security policy settings Security policy settings should be used as part of your overall security implementation to help secure domain controllers, servers, client devices, and other resources in your organization. -Security settings policies are rules that you can configure on a device, or multiple devices, for the purpose of protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. +Security settings policies are rules that you can configure on a device, or multiple devices, for protecting resources on a device or network. The Security Settings extension of the Local Group Policy Editor snap-in (Gpedit.msc) allows you to define security configurations as part of a Group Policy Object (GPO). The GPOs are linked to Active Directory containers such as sites, domains, and organizational units, and they enable administrators to manage security settings for multiple computers from any device joined to the domain. Security settings can control: @@ -83,10 +83,10 @@ The secedit command-line tool works with security templates and provides six pri - The **Configure** parameter helps you resolve security discrepancies between devices by applying the correct security template to the errant server. - The **Analyze** parameter compares the server's security configuration with the selected template. -- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this also. +- The **Import** parameter allows you to create a database from an existing template. The Security Configuration and Analysis tool does this cloning also. - The **Export** parameter allows you to export the settings from a database into a security settings template. -- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This ensures that if the template fails to apply syntax, the template will not be the issue. -- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template will not change access control list entries on files or registry entries that were changed by the most recently applied template. +- The **Validate** parameter allows you to validate the syntax of each or any lines of text that you created or added to a security template. This validation ensures that if the template fails to apply syntax, the template won't be the issue. +- The **Generate Rollback** parameter saves the server's current security settings into a security template so it can be used to restore most of the server's security settings to a known state. The exceptions are that, when applied, the rollback template won't change access control list entries on files or registry entries that were changed by the most recently applied template. ## Using the Security Compliance Manager @@ -107,9 +107,9 @@ SCW is a role-based tool: You can use it to create a policy that enables service The following are considerations for using SCW: - SCW disables unnecessary services and provides Windows Firewall with Advanced Security support. -- Security policies that are created with SCW are not the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those that can be set with SCW. However, it is possible to include a security template in an SCW security policy file. +- Security policies that are created with SCW aren't the same as security templates, which are files with an .inf extension. Security templates contain more security settings than those settings that can be set with SCW. However, it's possible to include a security template in an SCW security policy file. - You can deploy security policies that you create with SCW by using Group Policy. -- SCW does not install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager. +- SCW doesn't install or uninstall the features necessary for the server to perform a role. You can install server role-specific features through Server Manager. - SCW detects server role dependencies. If you select a server role, it automatically selects dependent server roles. - All apps that use the IP protocol and ports must be running on the server when you run SCW. - In some cases, you must be connected to the Internet to use the links in the SCW help. @@ -149,20 +149,19 @@ Security Configuration and Analysis is an MMC snap-in for analyzing and configur ### Security analysis -The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This means that a computer may no longer meet the requirements for enterprise security. +The state of the operating system and apps on a device is dynamic. For example, you may need to temporarily change security levels so that you can immediately resolve an administration or network issue. However, this change can often go unreversed. This unreversed state of the changes means that a computer may no longer meet the requirements for enterprise security. Regular analysis enables you to track and ensure an adequate level of security on each computer as part of an enterprise risk management program. You can tune the security levels and, most importantly, detect any security flaws that may occur in the system over time. -Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings do not match the proposed level of security. Security -Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. +Security Configuration and Analysis enables you to quickly review security analysis results. It presents recommendations alongside of current system settings and uses visual flags or remarks to highlight any areas where the current settings don't match the proposed level of security. Security Configuration and Analysis also offers the ability to resolve any discrepancies that analysis reveals. ### Security configuration -Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. This immediately configures the system security with the levels specified in the template. +Security Configuration and Analysis can also be used to directly configure local system security. Through its use of personal databases, you can import security templates that have been created with Security Templates and apply these templates to the local computer. These security templates immediately configure the system security with the levels specified in the template. ### Security templates -With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It is a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in does not introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. +With the Security Templates snap-in for Microsoft Management Console, you can create a security policy for your device or for your network. It's a single point of entry where the full range of system security can be taken into account. The Security Templates snap-in doesn't introduce new security parameters, it simply organizes all existing security attributes into one place to ease security administration. Importing a security template to a Group Policy Object eases domain administration by configuring security for a domain or organizational unit at once. @@ -184,18 +183,18 @@ Security templates can be used to define: - Registry: Permissions for registry keys - File System: Permissions for folders and files -Each template is saved as a text-based .inf file. This enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. +Each template is saved as a text-based .inf file. This file enables you to copy, paste, import, or export some or all of the template attributes. With the exceptions of Internet Protocol security and public key policies, all security attributes can be contained in a security template. ### Security settings extension to Group Policy -Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. +Organizational units, domains, and sites are linked to Group Policy Objects. The security settings tool allows you to change the security configuration of the Group Policy Object, in turn, affecting multiple computers. With security settings, you can modify the security settings of many devices, depending on the Group Policy Object you modify, from just one device joined to a domain. -Security settings or security policies are rules that are configured on a device or multiple device for protecting resources on a device or network. Security settings can control: +Security settings or security policies are rules that are configured on a device or multiple devices for protecting resources on a device or network. Security settings can control: - How users are authenticated to a network or device -- What resources users are authorized to use. -- Whether or not a user's or group's actions are recorded in the event log. -- Group membership. +- What resources users are authorized to use +- Whether or not a user's or group's actions are recorded in the event log +- Group membership You can change the security configuration on multiple computers in two ways: @@ -208,18 +207,18 @@ A security policy is a combination of security settings that affect the security With the local security policy, you can control: -- Who accesses your device. -- What resources users are authorized to use on your device. -- Whether or not a user's or group's actions are recorded in the event log. +- Who accesses your device +- What resources users are authorized to use on your device +- Whether or not a user's or group's actions are recorded in the event log -If your local device is joined to a domain, you are subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you are a member of. If you are getting a policy from more than one source, conflicts are resolved in the following order of precedence. +If your local device is joined to a domain, you're subject to obtaining a security policy from the domain's policy or from the policy of any organizational unit that you're a member of. If you're getting a policy from more than one source, conflicts are resolved in the following order of precedence. 1. Organizational unit policy 1. Domain policy 1. Site policy 1. Local computer policy -If you modify the security settings on your local device by using the local security policy, then you are directly modifying the settings on your device. Therefore, the settings take effect immediately, but this may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. +If you modify the security settings on your local device by using the local security policy, then you're directly modifying the settings on your device. Therefore, the settings take effect immediately, but this effect may only be temporary. The settings will actually remain in effect on your local device until the next refresh of Group Policy security settings, when the security settings that are received from Group Policy will override your local settings wherever there are conflicts. ### Using the Security Configuration Manager @@ -233,10 +232,10 @@ For procedures on how to use the Security Configuration Manager, see [Security C ### Applying security settings -Once you have edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: +Once you've edited the security settings, the settings are refreshed on the computers in the organizational unit linked to your Group Policy Object: - When a device is restarted, the settings on that device will be refreshed. -- To force a device to refresh its security settings as well as all Group Policy settings, use gpupdate.exe. +- To force a device to refresh its security settings and all Group Policy settings, use gpupdate.exe. **Precedence of a policy when more than one policy is applied to a computer** @@ -247,7 +246,7 @@ For security settings that are defined by more than one policy, the following or 1. Site Policy 1. Local computer Policy -For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there is a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override +For example, a workstation that is joined to a domain will have its local security settings overridden by the domain policy wherever there's a conflict. Likewise, if the same workstation is a member of an Organizational Unit, the settings applied from the Organizational Unit's policy will override both the domain and local settings. If the workstation is a member of more than one Organizational Unit, then the Organizational Unit that immediately contains the workstation has the highest order of precedence. > [!NOTE] @@ -260,23 +259,23 @@ Security settings may still persist even if a setting is no longer defined in th Persistence in security settings occurs when: -- The setting has not been previously defined for the device. +- The setting hasn't been previously defined for the device. - The setting is for a registry object. - The setting is for a file system object. -All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value does not exist in the database, then the setting does not revert to anything and remains defined as is. This behavior is sometimes called "tattooing." +All settings applied through local policy or a Group Policy Object are stored in a local database on your device. Whenever a security setting is modified, the computer saves the security setting value to the local database, which retains a history of all the settings that have been applied to the device. If a policy first defines a security setting and then no longer defines that setting, then the setting takes on the previous value in the database. If a previous value doesn't exist in the database, then the setting doesn't revert to anything and remains defined as is. This behavior is sometimes called "tattooing." Registry and file settings will maintain the values applied through policy until that setting is set to other values. **Filtering security settings based on group membership** -You can also decide what users or groups will or will not have a Group Policy Object applied to them regardless of what computer they have logged onto by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. +You can also decide what users or groups will or won't have a Group Policy Object applied to them regardless of what computer they've signed into by denying them either the Apply Group Policy or Read permission on that Group Policy Object. Both of these permissions are needed to apply Group Policy. ### Importing and exporting security templates -Security Configuration and Analysis provides the ability to import and export security templates into or from a database. +Security Configuration and Analysis enables import and export of security templates into or from a database. -If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature provides the ability to save the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. +If you have made any changes to the analysis database, you can save those settings by exporting them into a template. The export feature enables saving the analysis database settings as a new template file. This template file can then be used to analyze or configure a system, or it can be imported to a Group Policy Object. ### Analyzing security and viewing results @@ -286,26 +285,26 @@ Security Configuration and Analysis displays the analysis results by security ar |Visual flag |Meaning | |---------|---------| -|Red X |The entry is defined in the analysis database and on the system, but the security setting values do not match.| +|Red X |The entry is defined in the analysis database and on the system, but the security setting values don't match.| |Green check mark |The entry is defined in the analysis database and on the system and the setting values match.| -|Question mark |The entry is not defined in the analysis database and, therefore, was not analyzed.
    If an entry is not analyzed, it may be that it was not defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.| -|Exclamation point |This item is defined in the analysis database, but does not exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but does not actually exist on the analyzed system.| -|No highlight |The item is not defined in the analysis database or on the system.| +|Question mark |The entry isn't defined in the analysis database and, therefore, wasn't analyzed.
    If an entry isn't analyzed, it may be that it wasn't defined in the analysis database or that the user who is running the analysis may not have sufficient permission to perform analysis on a specific object or area.| +|Exclamation point |This item is defined in the analysis database, but doesn't exist on the actual system. For example, there may be a restricted group that is defined in the analysis database but doesn't actually exist on the analyzed system.| +|No highlight |The item isn't defined in the analysis database or on the system.| If you choose to accept the current settings, the corresponding value in the base configuration is modified to match them. If you change the system setting to match the base configuration, the change will be reflected when you configure the system with Security Configuration and Analysis. -To avoid continued flagging of settings that you have investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. +To avoid continued flagging of settings that you've investigated and determined to be reasonable, you can modify the base configuration. The changes are made to a copy of the template. ### Resolving security discrepancies You can resolve discrepancies between analysis database and system settings by: - Accepting or changing some or all of the values that are flagged or not included in the configuration, if you determine that the local system security levels are valid due to the context (or role) of that computer. These attribute values are then updated in the database and applied to the system when you click **Configure Computer Now**. -- Configuring the system to the analysis database values, if you determine the system is not in compliance with valid security levels. +- Configuring the system to the analysis database values, if you determine the system isn't in compliance with valid security levels. - Importing a more appropriate template for the role of that computer into the database as the new base configuration and applying it to the system. Changes to the analysis database are made to the stored template in the database, not to the security template file. The security template file will only be modified if you either return to Security Templates and edit that template or export the stored configuration to the same template file. You should use **Configure Computer Now** only to modify security areas *not* affected by Group Policy settings, such as security on local files and folders, registry keys, and system services. Otherwise, when the Group Policy settings are applied, it will take precedence over local settings—such as account policies. -In general, do not use **Configure Computer Now** when you are analyzing security for domain-based clients, since you will have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. +In general, don't use **Configure Computer Now** when you're analyzing security for domain-based clients, since you'll have to configure each client individually. In this case, you should return to Security Templates, modify the template, and reapply it to the appropriate Group Policy Object. ### Automating security configuration tasks diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 1ad9f2883f..6a4eff29c5 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -1,6 +1,6 @@ --- -title: Allow log on through Remote Desktop Services (Windows 10) -description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow log on through Remote Desktop Services. +title: Allow a sign in through Remote Desktop Services (Windows 10) +description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow a sign in through Remote Desktop Services. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: dansimp @@ -18,7 +18,7 @@ ms.date: 04/19/2017 ms.technology: windows-sec --- -# Allow log on through Remote Desktop Services +# Allow sign in through Remote Desktop Services **Applies to** - Windows 10 @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users or groups can access the logon screen of a remote device through a Remote Desktop Services connection. It is possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to log on to the console of that same server. +This policy setting determines which users or groups can access the sign-in screen of a remote device through a Remote Desktop Services connection. It's possible for a user to establish a Remote Desktop Services connection to a particular server but not be able to sign in to the console of that same server. Constant: SeRemoteInteractiveLogonRight @@ -38,7 +38,7 @@ Constant: SeRemoteInteractiveLogonRight ### Best practices -- To control who can open a Remote Desktop Services connection and log on to the device, add users to or remove users from the Remote Desktop Users group. +- To control who can open a Remote Desktop Services connection and sign in to the device, add users to or remove users from the Remote Desktop Users group. ### Location @@ -66,13 +66,13 @@ This section describes different features and tools available to help you manage ### Group Policy -To use Remote Desktop Services to successfully log on to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It is possible for a user to establish an Remote Desktop Services session to a particular server, but not be able to log on to the console of that same server. +To use Remote Desktop Services to successfully sign in to a remote device, the user or group must be a member of the Remote Desktop Users or Administrators group and be granted the **Allow log on through Remote Desktop Services** right. It's possible for a user to establish a Remote Desktop Services session to a particular server, but not be able to sign in to the console of that same server. To exclude users or groups, you can assign the **Deny log on through Remote Desktop Services** user right to those users or groups. However, be careful when you use this method because you could create conflicts for legitimate users or groups that have been allowed access through the **Allow log on through Remote Desktop Services** user right. For more information, see [Deny log on through Remote Desktop Services](deny-log-on-through-remote-desktop-services.md). -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,11 +89,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the **Allow log on through Remote Desktop Services** user right can log on to the remote console of the device. If you do not restrict this user right to legitimate users who must log on to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. +Any account with the **Allow log on through Remote Desktop Services** user right can sign in to the remote console of the device. If you don't restrict this user right to legitimate users who must sign in to the console of the computer, unauthorized users could download and run malicious software to elevate their privileges. ### Countermeasure -For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and do not run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. +For domain controllers, assign the **Allow log on through Remote Desktop Services** user right only to the Administrators group. For other server roles and devices, add the Remote Desktop Users group. For servers that have the Remote Desktop (RD) Session Host role service enabled and don't run in Application Server mode, ensure that only authorized IT personnel who must manage the computers remotely belong to these groups. > **Caution:**  For RD Session Host servers that run in Application Server mode, ensure that only users who require access to the server have accounts that belong to the Remote Desktop Users group because this built-in group has this logon right by default. @@ -101,7 +101,7 @@ Alternatively, you can assign the **Deny log on through Remote Desktop Services* ### Potential impact -Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities are not adversely affected. +Removal of the **Allow log on through Remote Desktop Services** user right from other groups (or membership changes in these default groups) could limit the abilities of users who perform specific administrative roles in your environment. You should confirm that delegated activities aren't adversely affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md index 39535992d7..6b5311ba25 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md @@ -62,11 +62,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Auditing -Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events will not be audited. +Enabling this policy setting in conjunction with the **Audit privilege use** policy setting records any instance of user rights that are being exercised in the security log. If **Audit privilege use** is enabled but **Audit: Audit the use of Backup and Restore privilege** is disabled, when users back up or restore user rights, those events won't be audited. Enabling this policy setting when the **Audit privilege use** policy setting is also enabled generates an audit event for every file that is backed up or restored. This setup can help you to track down an administrator who is accidentally or maliciously restoring data in an unauthorized manner. diff --git a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md index cc93c278b5..d4f0fd8113 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md +++ b/windows/security/threat-protection/security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md @@ -38,7 +38,7 @@ There are over 40 auditing subcategories that provide precise details about acti ### Best practices -- Leave the setting enabled. This provides the ability to audit events at the category level without revising a policy. +- Leave the setting enabled. This "enabled" state helps audit events at the category level without revising a policy. ### Location @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -71,9 +71,9 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep ### Auditing -To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value , prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. +To manage an audit policy by using subcategories without requiring a change to Group Policy, the SCENoApplyLegacyAuditPolicy registry value prevents the application of category-level audit policy from Group Policy and from the Local Security Policy administrative tool. -If the category level audit policy that is set here is not consistent with the events that are currently being generated, the cause might be that this registry key is set. +If the category level audit policy that is set here isn't consistent with the events that are currently being generated, the cause might be that this registry key is set. ### Command-line tools diff --git a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md index 7cc7a09a81..867e169424 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md +++ b/windows/security/threat-protection/security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, management practices, and securi ## Reference -The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it is unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message in the case of a failure of the auditing system. Enabling this policy setting stops the system if a security audit cannot be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. +The **Audit: Shut down system immediately if unable to log security audits** policy setting determines whether the system shuts down if it's unable to log security events. This policy setting is a requirement for Trusted Computer System Evaluation Criteria (TCSEC)-C2 and Common Criteria certification to prevent auditable events from occurring if the audit system is unable to log those events. Microsoft has chosen to meet this requirement by halting the system and displaying a Stop message if there's a failure of the auditing system. Enabling this policy setting stops the system if a security audit can't be logged for any reason. Typically, an event fails to be logged when the security audit log is full and the value of **Retention method for security log** is **Do not overwrite events (clear log manually)** or **Overwrite events by days**. -With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry cannot be overwritten, the following Stop message appears: +With **Audit: Shut down system immediately if unable to log security audits** set to **Enabled**, if the security log is full and an existing entry can't be overwritten, the following Stop message appears: **STOP: C0000244 {Audit Failed}**: An attempt to generate a security audit failed. -To recover, you must log on, archive the log (optional), clear the log, and reset this option as desired. +To recover, you must sign in, archive the log (optional), clear the log, and reset this option as desired. If the computer is unable to record events to the security log, critical evidence or important troubleshooting information might not be available for review after a security incident. @@ -67,11 +67,11 @@ The following table lists the actual and effective default values for this polic ## Policy management This section describes features and tools that are available to help you manage this policy. -The administrative burden of enabling this policy setting can be very high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security log. Additionally, because the shutdown is not graceful, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it cannot guarantee that every data file for every application will still be in a usable form when the system is restarted. +The administrative burden of enabling this policy setting can be high, especially if you also set the **Retention method for security log** to **Do not overwrite events (clear log manually)**. This setting turns a repudiation threat (a backup operator could deny that they backed up or restored data) into a denial-of-service threat, because a server can be forced to shut down if it's overwhelmed with sign-in events and other security events that are written to the security log. Additionally, because the shutdown isn't graceful, it's possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system will guarantee that the file system's integrity will be maintained during a sudden system shutdown, it can't guarantee that every data file for every application will still be in a usable form when the system is restarted. ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -91,7 +91,7 @@ Enable the **Audit: Shut down system immediately if unable to log security audit ### Potential impact -If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it is overwhelmed with logon events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it is possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there is no guarantee that every data file for every application will still be in a usable form when the device restarts. +If you enable this policy setting, the administrative burden can be significant, especially if you also configure the **Retention method for the Security log** to **Do not overwrite events** (clear log manually). This configuration causes a repudiation threat (a backup operator could deny that they backed up or restored data) to become a denial of service (DoS) vulnerability because a server could be forced to shut down if it's overwhelmed with sign-in events and other security events that are written to the security event log. Also, because the shutdown is abrupt, it's possible that irreparable damage to the operating system, applications, or data could result. Although the NTFS file system maintains its integrity when this type of computer shutdown occurs, there's no guarantee that every data file for every application will still be in a usable form when the device restarts. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md index 239a32f7b1..f41f877de5 100644 --- a/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md +++ b/windows/security/threat-protection/security-policy-settings/bypass-traverse-checking.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right does not allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. +This policy setting determines which users (or a process that acts on behalf of the user’s account) have permission to navigate an object path in the NTFS file system or in the registry without being checked for the Traverse Folder special access permission. This user right doesn't allow the user to list the contents of a folder. It only allows the user to traverse folders to access permitted files or subfolders. Constant: SeChangeNotifyPrivilege @@ -40,7 +40,7 @@ Constant: SeChangeNotifyPrivilege ### Best practices -1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they do not have access. +1. Use access–based enumeration when you want to prevent users from seeing any folder or file to which they don't have access. 2. Use the default settings of this policy in most cases. If you change the settings, verify your intent through testing. ### Location @@ -62,9 +62,9 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs).The ability to traverse the folder does not provide any Read or Write permissions to the user. +Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs). The ability to traverse the folder doesn't provide any Read or Write permissions to the user. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -85,11 +85,11 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled though the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder does not provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions does not understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. +The default configuration for the **Bypass traverse checking** setting is to allow all users to bypass traverse checking. Permissions to files and folders are controlled through the appropriate configuration of file system access control lists (ACLs) because the ability to traverse the folder doesn't provide any Read or Write permissions to the user. The only scenario in which the default configuration could lead to a mishap would be if the administrator who configures permissions doesn't understand how this policy setting works. For example, the administrator might expect that users who are unable to access a folder are unable to access the contents of any child folders. Such a situation is unlikely, and, therefore, this vulnerability presents little risk. ### Countermeasure -Organizations that are extremely concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users cannot see any folder or file to which they do not have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). +Organizations that are concerned about security may want to remove the Everyone group, and perhaps the Users group, from the list of groups that have the **Bypass traverse checking** user right. Taking explicit control over traversal assignments can be an effective way to limit access to sensitive information. Access–based enumeration can also be used. If you use access–based enumeration, users can't see any folder or file to which they don't have access. For more info about this feature, see [Access-based Enumeration](/previous-versions/windows/it-pro/windows-server-2003/cc784710(v=ws.10)). ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md index c3d5940ecc..bd9df622f1 100644 --- a/windows/security/threat-protection/security-policy-settings/change-the-system-time.md +++ b/windows/security/threat-protection/security-policy-settings/change-the-system-time.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting does not impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). +This policy setting determines which users can adjust the time on the device's internal clock. This right allows the computer user to change the date and time associated with records in the event logs, database transactions, and the file system. This right is also required by the process that performs time synchronization. This setting doesn't impact the user’s ability to change the time zone or other display characteristics of the system time. For info about assigning the right to change the time zone, see [Change the time zone](change-the-time-zone.md). Constant: SeSystemtimePrivilege @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -89,7 +89,7 @@ Users who can change the time on a computer could cause several problems. For ex - Time stamps on event log entries could be made inaccurate - Time stamps on files and folders that are created or modified could be incorrect - Computers that belong to a domain might not be able to authenticate themselves -- Users who try to log on to the domain from devices with inaccurate time might not be able to authenticate. +- Users who try to sign in to the domain from devices with inaccurate time might not be able to authenticate. Also, because the Kerberos authentication protocol requires that the requester and authenticator have their clocks synchronized within an administrator-defined skew period, an attacker who changes a device's time may cause that computer to be unable to obtain or grant Kerberos protocol tickets. @@ -100,7 +100,7 @@ The risk from these types of events is mitigated on most domain controllers, mem - All PDC emulator operations masters follow the hierarchy of domains in the selection of their inbound time partner. - The PDC emulator operations master at the root of the domain is authoritative for the organization. Therefore, we recommend that you configure this computer to synchronize with a reliable external time server. -This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that is not accurate. +This vulnerability becomes much more serious if an attacker is able to change the system time and then stop the Windows Time Service or reconfigure it to synchronize with a time server that isn't accurate. ### Countermeasure @@ -108,7 +108,7 @@ Restrict the **Change the system time** user right to users with a legitimate ne ### Potential impact -There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that do not belong to the domain should be configured to synchronize with an external source, such as a web service. +There should be no impact because time synchronization for most organizations should be fully automated for all computers that belong to the domain. Computers that don't belong to the domain should be configured to synchronize with an external source, such as a web service. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md index c5a8a0a8e1..a5669229ef 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-pagefile.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It is used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. +Windows designates a section of the hard drive as virtual memory known as the page file, or more specifically, as pagefile.sys. It's used to supplement the computer’s Random Access Memory (RAM) to improve performance for frequently used programs and data. Although the file is hidden from browsing, you can manage it using the system settings. This policy setting determines which users can create and change the size of a page file. It determines whether users can specify a page file size for a particular drive in the **Performance Options** box located on the **Advanced** tab of the **System Properties** dialog box or through using internal application interfaces (APIs). @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values for the ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can change the page file size could make it extremely small or move the file to a highly fragmented storage volume, which could cause reduced device performance. +Users who can change the page file size could make it small or move the file to a highly fragmented storage volume, which could cause reduced device performance. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md index b506e0c131..718a99a7bd 100644 --- a/windows/security/threat-protection/security-policy-settings/create-a-token-object.md +++ b/windows/security/threat-protection/security-policy-settings/create-a-token-object.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, policy management, and security This policy setting determines which accounts a process can use to create a token, and which accounts it can then use to gain access to local resources when the process uses NtCreateToken() or other token-creation APIs. -When a user logs on to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. +When a user signs in to the local device or connects to a remote device through a network, Windows builds the user’s access token. Then the system examines the token to determine the level of the user's privileges. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Constant: SeCreateTokenPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateTokenPrivilege ### Best practices -- This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. +- This user right is used internally by the operating system. Unless it's necessary, don't assign this user right to a user, group, or process other than Local System. ### Location @@ -48,7 +48,7 @@ Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Use ### Default values -This user right is used internally by the operating system. By default, it is not assigned to any user groups. +This user right is used internally by the operating system. By default, it isn't assigned to any user groups. The following table lists the actual and effective default policy values. Default values are also listed on the policy’s property page. @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,11 +86,11 @@ This section describes how an attacker might exploit a feature or its configurat >**Caution:**  A user account that is given this user right has complete control over the system, and it can lead to the system being compromised. We highly recommend that you do not assign this right to any user accounts. -Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users log on to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change is not reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they are currently logged on. They could escalate their privileges or create a DoS condition. +Windows examines a user's access token to determine the level of the user's privileges. Access tokens are built when users sign in to the local device or connect to a remote device over a network. When you revoke a privilege, the change is immediately recorded, but the change isn't reflected in the user's access token until the next time the user logs on or connects. Users with the ability to create or modify tokens can change the level of access for any account on a computer if they're currently logged on. They could escalate their privileges or create a DoS condition. ### Countermeasure -Do not assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. +Don't assign the **Create a token object** user right to any users. Processes that require this user right should use the Local System account, which already includes it, instead of a separate user account that has this user right assigned. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/create-global-objects.md b/windows/security/threat-protection/security-policy-settings/create-global-objects.md index fd0acee762..b4f0048aa0 100644 --- a/windows/security/threat-protection/security-policy-settings/create-global-objects.md +++ b/windows/security/threat-protection/security-policy-settings/create-global-objects.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. +This policy setting determines which users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they don't have this user right. -A global object is an object that is created to be used by any number of processes or threads, even those not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. +A global object is an object that can be used by any number of processes or threads, even those processes or threads not started within the user’s session. Remote Desktop Services uses global objects in its processes to facilitate connections and access. Constant: SeCreateGlobalPrivilege @@ -40,7 +40,7 @@ Constant: SeCreateGlobalPrivilege ### Best practices -- Do not assign any user accounts this right. +- Don't assign any user accounts this right. ### Location @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul ## Policy management -A restart of the device is not required for this policy setting to take effect. +A restart of the device isn't required for this policy setting to take effect. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -90,7 +90,7 @@ By default, members of the **Administrators** group, the System account, and ser ### Countermeasure -When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assining them this user right. +When non-administrators need to access a server using Remote Desktop, add the users to the **Remote Desktop Users** group rather than assigning them this user right. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md index d5d9820efd..3302b6c613 100644 --- a/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md +++ b/windows/security/threat-protection/security-policy-settings/create-symbolic-links.md @@ -27,9 +27,9 @@ Describes the best practices, location, values, policy management, and security ## Reference -This user right determines if users can create a symbolic link from the device they are logged on to. +This user right determines if users can create a symbolic link from the device they're logged on to. -A symbolic link is a file-system object that points to another file-system object. The object that's pointed to is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. +A symbolic link is a file-system object that points to another file-system object that is called the target. Symbolic links are transparent to users. The links appear as normal files or directories, and they can be acted upon by the user or application in exactly the same manner. Symbolic links are designed to aid in migration and application compatibility with UNIX operating systems. Microsoft has implemented symbolic links to function just like UNIX links. >**Warning:**   This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Constant: SeCreateSymbolicLinkPrivilege @@ -41,7 +41,7 @@ Constant: SeCreateSymbolicLinkPrivilege ### Best practices -- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that are not designed to handle them. +- Only trusted users should get this user right. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. ### Location @@ -66,7 +66,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes different features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -95,7 +95,7 @@ Users who have the **Create symbolic links** user right could inadvertently or m ### Countermeasure -Do not assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. +Don't assign the **Create symbolic links** user right to standard users. Restrict this right to trusted administrators. You can use the **fsutil** command to establish a symbolic link file system setting that controls the kind of symbolic links that can be created on a computer. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index cfed5fd439..22eda320a1 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting allows you to define additional computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an additional access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. +This policy setting allows you to define other computer-wide controls that govern access to all Distributed Component Object Model (DCOM)–based applications on a device. These controls restrict call, activation, or launch requests on the device. A simple way to think about these access controls is as an extra access check that is performed against a device-wide access control list (ACL) on each call, activation, or launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to access any COM-based server. This policy setting controls access permissions to cover call rights. These device-wide ACLs provide a way to override weak security settings that are specified by an application through the CoInitializeSecurity function or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific server. These ACLs also provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers on the device. -This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +This policy setting allows you to specify an ACL in two different ways. You can type the security descriptor in SDDL, or you can grant or deny Local Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running. ### Possible values @@ -43,7 +43,7 @@ This policy setting allows you to specify an ACL in two different ways. You can - Blank - This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it as Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. ### Location @@ -67,14 +67,14 @@ The following table lists the actual and effective default values for this polic This section describes features and tools that are available to help you manage this policy. ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy -The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users are not changed. Use care in configuring the list of users and groups. +The registry settings that are created as a result of enabling the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting take precedence over the previous registry settings when this policy setting was configured. The Remote Procedure Call (RPC) service checks the new registry keys in the Policies section for the computer restrictions, and these registry entries take precedence over the existing registry keys under OLE. This precedence means that previously existing registry settings are no longer effective, and if you make changes to the existing settings, device access permissions for users aren't changed. Use care in configuring the list of users and groups. -If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This will restore control of the DCOM application to the administrator and users. To do this, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click -**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This defines the setting and sets the appropriate SDDL value. +If the administrator is denied permission to access DCOM applications due to the changes made to DCOM in the Windows operating system, the administrator can use the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting to manage DCOM access to the computer. The administrator can use this setting to specify which users and groups can access the DCOM application on the computer locally and remotely. This setting will restore control of the DCOM application to the administrator and users. To define this setting, open the **DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click +**Edit Security**. Specify the users or groups you want to include and the computer access permissions for those users or groups. This information defines the setting and sets the appropriate SDDL value. ## Security considerations @@ -82,7 +82,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. +Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. Administrators can't override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. Also, the COM infrastructure includes the Remote Procedure Call Services (RPCSS), a system service that runs during and after computer startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote access, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users who use remote, unauthenticated computers. @@ -92,7 +92,7 @@ To protect individual COM-based applications or services, set the **DCOM: Machin ### Potential impact -Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it does not, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. +Windows implements default COM ACLs when they're installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific call permissions that ACL assigns are the correct permissions for appropriate users. If it doesn't, you must change your application-specific permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM don't fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md index 7142b1773f..e5bb3b3aec 100644 --- a/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md +++ b/windows/security/threat-protection/security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md @@ -27,17 +27,17 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define additional computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an additional access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. +This policy setting is similar to the [DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax](dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md) setting in that it allows you to define more computer-wide controls that govern access to all DCOM–based applications on a device. However, the ACLs that are specified in this policy setting control local and remote COM launch requests (not access requests) on the device. A simple way to think about this access control is as an extra access check that is performed against a device-wide ACL on each launch of any COM-based server. If the access check fails, the call, activation, or launch request is denied. (This check is in addition to any access check that is run against the server-specific ACLs.) In effect, it provides a minimum authorization standard that must be passed to launch any COM-based server. The DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax policy setting differs in that it provides a minimum access check that is applied to attempts to access an already launched COM-based server. These device-wide ACLs provide a way to override weak security settings that are specified by an application through CoInitializeSecurity or application-specific security settings. They provide a minimum security standard that must be passed, regardless of the settings of the specific COM-based server. These ACLs provide a centralized location for an administrator to set a general authorization policy that applies to all COM-based servers. The **DCOM: Machine Launch Restrictions in the Security Descriptor Definition Language (SDDL) syntax** setting allows you to specify an ACL in two ways. You can type the security descriptor in SDDL, or you can grant or deny Local -Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you are running. +Access and Remote Access permissions to users and groups. We recommend that you use the built-in user interface to specify the ACL contents that you want to apply with this setting. The default ACL settings vary, depending on the version of Windows you're running. ### Possible values - Blank - This represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. + This value represents how the local security policy deletes the policy enforcement key. This value deletes the policy and then sets it to Not defined. The Blank value is set by using the ACL editor to empty the list, and then pressing OK. - *User-defined input* of the SDDL representation of the groups and privileges @@ -66,15 +66,15 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Group Policy The registry settings that are created as a result of this policy take precedence over the previous registry settings in this area. The Remote Procedure Call (RPC) service (RpcSs) checks the new registry keys in the Policies section for the computer restrictions; these entries take precedence over the existing registry keys under OLE. -If you are denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. +If you're denied access to activate and launch DCOM applications due to the changes made to DCOM in the Windows operating system, this policy setting can be used to control the DCOM activation and launch to the device. -You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This restores control of the DCOM application to the administrator and specified users. To do this, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This defines the setting and sets the appropriate SDDL value. +You can specify which users and groups can launch and activate DCOM applications on the device locally and remotely by using the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** policy setting. This setting restores control of the DCOM application to the administrator and specified users. To define this setting, open the **DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax** setting, and click **Edit Security**. Specify the groups that you want to include and the device launch permissions for those groups. This information defines the setting and sets the appropriate SDDL value. ## Security considerations @@ -82,9 +82,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You cannot override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. +Many COM applications include some security-specific code (for example, to call CoInitializeSecurity), but they use weak settings that allow unauthenticated access to the process. You can't override these settings to force stronger security in earlier versions of Windows without modifying the application. An attacker could attempt to exploit weak security in an individual application by attacking it through COM calls. -Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after that. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. +Also, the COM infrastructure includes the Remote Procedure Call Service (RPCSS), a system service that runs during computer startup and always runs after the startup. This service manages activation of COM objects and the running object table and provides helper services to DCOM remoting. It exposes RPC interfaces that can be called remotely. Because some COM-based servers allow unauthenticated remote component activation, these interfaces can be called by anyone, including unauthenticated users. As a result, RPCSS can be attacked by malicious users using remote, unauthenticated computers. ### Countermeasure @@ -92,7 +92,7 @@ To protect individual COM-based applications or services, set this policy settin ### Potential impact -Windows implements default COM ACLs when they are installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it does not, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM do not fail. +Windows implements default COM ACLs when they're installed. Modifying these ACLs from the default may cause some applications or components that communicate by using DCOM to fail. If you implement a COM-based server and you override the default security settings, confirm that the application-specific launch permissions ACL assigns include activation permissions to appropriate users. If it doesn't, you must change your application-specific launch permission ACL to provide appropriate users with activation rights so that applications and Windows components that use DCOM don't fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md index 269c9d78ab..4b02ab14cd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md +++ b/windows/security/threat-protection/security-policy-settings/deny-access-to-this-computer-from-the-network.md @@ -64,7 +64,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features and tools available to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting supersedes the **Access this computer from the network** policy setting if a user account is subject to both policies. @@ -87,25 +87,25 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Users who can log on to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. +Users who can sign in to the device over the network can enumerate lists of account names, group names, and shared resources. Users with permission to access shared folders and files can connect over the network and possibly view or modify data. ### Countermeasure Assign the **Deny access to this computer from the network** user right to the following accounts: -- Anonymous logon +- Anonymous sign in - Built-in local Administrator account - Local Guest account - All service accounts -An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you have configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to log on to the server with the shared folder from the network. This user right is particularly effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. +An important exception to this list is any service accounts that are used to start services that must connect to the device over the network. For example, let’s say you've configured a shared folder for web servers to access, and you present content within that folder through a website. You may need to allow the account that runs IIS to sign in to the server with the shared folder from the network. This user right is effective when you must configure servers and workstations on which sensitive information is handled because of regulatory compliance concerns. > [!NOTE] > If the service account is configured in the logon properties of a Windows service, it requires network logon rights to the domain controllers to start properly. ### Potential impact -If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks are not negatively affected. +If you configure the **Deny access to this computer from the network** user right for other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should verify that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md index 3065d91365..a1f85a8494 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-batch-job.md @@ -27,8 +27,7 @@ This article describes the recommended practices, location, values, policy manag ## Reference -This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to log on by using a batch-queue tool is needed for any account that is used to start scheduled jobs by means of the Task -Scheduler. +This policy setting determines which accounts are prevented from logging on by using a batch-queue tool to schedule and start jobs automatically in the future. The ability to sign in by using a batch-queue tool is needed for any account that is used to start scheduled jobs with the Task Scheduler. Constant: SeDenyBatchLogonRight From 7039123165ba6db3a91c8a22db876506d36144f1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 24 Jun 2022 16:38:59 +0530 Subject: [PATCH 06/77] Acrolinx Enhancement Effort --- .../deny-log-on-as-a-service.md | 4 ++-- .../deny-log-on-locally.md | 10 ++++----- ...-log-on-through-remote-desktop-services.md | 12 +++++----- ...s-allow-undock-without-having-to-log-on.md | 16 +++++++------- ...wed-to-format-and-eject-removable-media.md | 4 ++-- ...t-users-from-installing-printer-drivers.md | 8 +++---- ...m-access-to-locally-logged-on-user-only.md | 10 ++++----- ...y-access-to-locally-logged-on-user-only.md | 10 ++++----- ...llow-server-operators-to-schedule-tasks.md | 10 ++++----- ...roller-ldap-server-signing-requirements.md | 14 ++++++------ ...refuse-machine-account-password-changes.md | 10 ++++----- ...rypt-or-sign-secure-channel-data-always.md | 21 +++++++++--------- ...crypt-secure-channel-data-when-possible.md | 22 +++++++++---------- ...-sign-secure-channel-data-when-possible.md | 22 +++++++++---------- ...isable-machine-account-password-changes.md | 14 ++++++------ 15 files changed, 93 insertions(+), 94 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md index 3b48755935..6085f264bd 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-as-a-service.md @@ -89,12 +89,12 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Accounts that can log on to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is somewhat reduced by the fact that only users with administrative rights can install and configure +Accounts that can sign in to a service application could be used to configure and start new unauthorized services, such as a keylogger or other malware. The benefit of the specified countermeasure is reduced by the fact that only users with administrative rights can install and configure services, and an attacker who already has that level of access could configure the service to run by using the System account. ### Countermeasure -We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to log on to a service application. +We recommend that you don't assign the **Deny log on as a service** user right to any accounts. This configuration is the default. Organizations that have strong concerns about security might assign this user right to groups and accounts when they're certain that they'll never need to sign in to a service application. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md index e3663ffda4..7363da3bbc 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-locally.md @@ -62,11 +62,11 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. -If you apply this policy setting to the Everyone group, no one will be able to log on locally. +If you apply this policy setting to the Everyone group, no one will be able to sign in locally. ### Group Policy @@ -87,15 +87,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the ability to log on locally could be used to log on at the console of the device. If this user right is not restricted to legitimate users who must log on to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. +Any account with the ability to sign in locally could be used to sign in at the console of the device. If this user right isn't restricted to legitimate users who must sign in to the console of the device, unauthorized users might download and run malicious software that elevates their user rights. ### Countermeasure -Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. +Assign the **Deny log on locally** user right to the local Guest account. If you have installed optional components such as ASP.NET, you may want to assign this user right to other accounts that are required by those components. ### Potential impact -If you assign the **Deny log on locally** user right to additional accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on device that are configured with the Web Server role. You should confirm that delegated activities are not adversely affected. +If you assign the **Deny log on locally** user right to other accounts, you could limit the abilities of users who are assigned to specific roles in your environment. However, this user right should explicitly be assigned to the ASPNET account on devices that are configured with the Web Server role. You should confirm that delegated activities aren't adversely affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md index ea9ba0f63a..288922a996 100644 --- a/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/deny-log-on-through-remote-desktop-services.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It is possible for a user to establish a Remote Desktop connection to a particular server, but not be able to log on to the console of that server. +This policy setting determines which users are prevented from logging on to the device through a Remote Desktop connection through Remote Desktop Services. It's possible for a user to establish a Remote Desktop connection to a particular server, but not be able to sign in to the console of that server. Constant: SeDenyRemoteInteractiveLogonRight @@ -38,7 +38,7 @@ Constant: SeDenyRemoteInteractiveLogonRight ### Best practices -- To control who can open a Remote Desktop connection and log on to the device, add the user account to or remove user accounts from the Remote Desktop Users group. +- To control who can open a Remote Desktop connection and sign in to the device, add the user account to or remove user accounts from the Remote Desktop Users group. ### Location @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -86,15 +86,15 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Any account with the right to log on through Remote Desktop Services could be used to log on to the remote console of the device. If this user right is not restricted to legitimate users who need to log on to the console of the computer, malicious users might download and run software that elevates their user rights. +Any account with the right to sign in through Remote Desktop Services could be used to sign in to the remote console of the device. If this user right isn't restricted to legitimate users who need to sign in to the console of the computer, malicious users might download and run software that elevates their user rights. ### Countermeasure -Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to additional accounts that are required by those components. +Assign the **Deny log on through Remote Desktop Services** user right to the built-in local guest account and all service accounts. If you have installed optional components, such as ASP.NET, you may want to assign this user right to other accounts that are required by those components. ### Potential impact -If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right cannot connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks are not negatively affected. +If you assign the **Deny log on through Remote Desktop Services** user right to other groups, you could limit the abilities of users who are assigned to specific administrative roles in your environment. Accounts that have this user right can't connect to the device through Remote Desktop Services or Remote Assistance. You should confirm that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index 6f6a4ddb5f..fd60b876a5 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -1,6 +1,6 @@ --- -title: Devices Allow undock without having to log on (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to log on security policy setting. +title: Devices Allow undock without having to sign in (Windows 10) +description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: ms.author: dansimp @@ -18,7 +18,7 @@ ms.date: 04/19/2017 ms.technology: windows-sec --- -# Devices: Allow undock without having to log on +# Devices: Allow undock without having to sign in **Applies to** - Windows 10 @@ -27,11 +27,11 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must log on to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. +This policy setting enables or disables the ability of a user to remove a portable device from a docking station without logging on. If you enable this policy setting, users can press a docked portable device's physical eject button to safely undock the device. If you disable this policy setting, the user must sign in to receive permission to undock the device. Only users who have the **Remove Computer from Docking Station** privilege can obtain this permission. >**Note:**  Disabling this policy setting only reduces theft risk for portable devices that cannot be mechanically undocked. Devices that can be mechanically undocked can be physically removed by the user whether or not they use the Windows undocking functionality. -Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that do not have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices +Enabling this policy setting means that anyone with physical access to a device that has been placed in its docking station can remove the computer and possibly tamper with it. For devices that don't have docking stations, this policy setting has no impact. However, for users with a mobile computer that is normally docked while they are in the office, this policy setting will help lower the risk of equipment theft or a malicious user gaining physical access to these devices ### Possible values @@ -41,7 +41,7 @@ Enabling this policy setting means that anyone with physical access to a device ### Best practices -It is advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to log on to the local console before they can undock their systems. +It's advisable to disable the **Devices: Allow undock without having to log on** policy setting. Users who have docked their devices will have to sign in to the local console before they can undock their systems. ### Location @@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -81,7 +81,7 @@ If this policy setting is enabled, anyone with physical access to portable compu Disable the **Devices: Allow undock without having to log on** setting. ### Potential impact -Users who have docked their device must log on to the local console before they can undock their computers. For devices that do not have docking stations, this policy setting has no impact. +Users who have docked their device must sign in to the local console before they can undock their computers. For devices that don't have docking stations, this policy setting has no impact. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md index fccacdc413..3acbde1af2 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md @@ -40,7 +40,7 @@ Users can move removable disks to a different device where they have administrat ### Best practices -- It is advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. +- It's advisable to set **Allowed to format and eject removable media** to **Administrators**. Only administrators will be able to eject NTFS-formatted removable media. ### Location @@ -65,7 +65,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md index 5b2bfdf5aa..baf3de195a 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for For a device to print to a network printer, the driver for that network printer must be installed locally. The **Devices: Prevent users from installing printer drivers** policy setting determines who can install a printer driver as part of adding a network printer. When you set the value to **Enabled**, only Administrators and Power Users can install a printer driver as part of adding a network printer. Setting the value to **Disabled** allows any user to install a printer driver as part of adding a network printer. This setting prevents unprivileged users from downloading and installing an untrusted printer driver. -This setting has no impact if you have configured a trusted path for downloading drivers. When using trusted paths, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver is not installed and the network printer is not added. +This setting has no impact if you've configured a trusted path for downloading drivers. If trusted paths are being used, the print subsystem attempts to use the trusted path to download the driver. If the trusted path download succeeds, the driver is installed on behalf of any user. If the trusted path download fails, the driver isn't installed and the network printer isn't added. -Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this is not suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. +Although it might be appropriate in some organizations to allow users to install printer drivers on their own workstations, this idea isn't suitable for servers. Installing a printer driver on a server can cause the system to become less stable. Only administrators should have this user right on servers. A malicious user might deliberately try to damage the system by installing inappropriate printer drivers. ### Possible values @@ -41,7 +41,7 @@ Although it might be appropriate in some organizations to allow users to install ### Best practices -- It is advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting does not affect a user's ability to add a local printer. +- It's advisable to set **Devices: Prevent users from installing printer drivers** to Enabled. Only users in the Administrative, Power User, or Server Operator groups will be able to install printers on servers. If this policy setting is enabled, but the driver for a network printer already exists on the local computer, users can still add the network printer. This policy setting doesn't affect a user's ability to add a local printer. > [!NOTE] > After applying the [July 6, 2021 updates](https://support.microsoft.com/topic/kb5005010-restricting-installation-of-new-printer-drivers-after-applying-the-july-6-2021-updates-31b91c02-05bc-4ada-a7ea-183b129578a7), non-administrators, including delegated admin groups like printer operators, cannot install signed and unsigned printer drivers to a print server. By default, only administrators can install both signed and unsigned printer drivers to a print server. @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md index 1bc52f9b73..18e750e462 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for This policy setting determines whether a CD is accessible to local and remote users simultaneously. If you enable this policy setting, only the interactively logged-on user is allowed to access removable CDs. If this policy setting is enabled and no one is logged on interactively, the CD can be accessed over the network. -The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This is important when administrators are installing software or copying data from a CD-ROM, and they do not want network users to be able to execute the applications or view the data. +The security benefit of enabling this policy setting is small because it only prevents network users from accessing the drive when someone is logged on to the local console of the system at the same time. Additionally, CD drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share is important when administrators are installing software or copying data from a CD-ROM, and they don't want network users to be able to execute the applications or view the data. -If this policy setting is enabled, users who connect to the server over the network will not be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting is not suitable for a system that serves as a CD jukebox for network users. +If this policy setting is enabled, users who connect to the server over the network won't be able to use any CD drives that are installed on the server when anyone is logged on to the local console of the server. Enabling this policy setting isn't suitable for a system that serves as a CD jukebox for network users. ### Possible values @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -75,14 +75,14 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives are not automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run +A remote user could potentially access a mounted CD that contains sensitive information. This risk is small because CD drives aren't automatically made available as shared drives; you must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. ### Countermeasure Enable the **Devices: Restrict CD-ROM drive access to locally logged-on user only** setting. ### Potential impact -Users who connect to the server over the network cannot use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting would not be suitable for a computer that serves as a CD jukebox for network users. +Users who connect to the server over the network can't use any CD drives that are installed on the server when anyone is logged on to the local console of the server. System tools that require access to the CD drive will fail. For example, the Volume Shadow Copy service attempts to access all CD and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. This policy setting wouldn't be suitable for a computer that serves as a CD jukebox for network users. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md index 2591b45b42..cd1c68ffef 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md +++ b/windows/security/threat-protection/security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, and security considerations for This policy setting determines whether removable floppy disks are accessible to local and remote users simultaneously. Enabling this policy setting allows only the interactively logged-on user to access removable floppy disks. If this policy setting is enabled and no one is logged on interactively, the floppy disk can be accessed over the network. -The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives are not automatically made available as network shared drives; you must deliberately choose to share the drive. This becomes important when you are installing software or copying data from a floppy disk and they do not want network users to be able to execute the applications or view the data. +The security benefit of enabling this policy setting is small because it only prevents network users from accessing the floppy disk drive when someone is logged on to the local console of the system at the same time. Additionally, floppy disk drives aren't automatically made available as network shared drives; you must deliberately choose to share the drive. This setting to share becomes important when you're installing software or copying data from a floppy disk and they don't want network users to be able to execute the applications or view the data. -If this policy setting is enabled, users who connect to the server over the network will not be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. +If this policy setting is enabled, users who connect to the server over the network won't be able to use any floppy disk drives that are installed on the server when anyone is logged on to the local console of the server. ### Possible values @@ -66,7 +66,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -74,7 +74,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives are not automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. +A remote user could potentially access a mounted floppy disk that contains sensitive information. This risk is small because floppy disk drives aren't automatically shared; administrators must deliberately choose to share the drive. However, you can deny network users the ability to view data or run applications from removable media on the server. ### Countermeasure @@ -82,7 +82,7 @@ Enable the **Devices: Restrict floppy access to locally logged-on user only** se ### Potential impact -Users who connect to the server over the network cannot use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service cannot access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. +Users who connect to the server over the network can't use any floppy disk drives that are installed on the device when anyone is logged on to the local console of the server. System tools that require access to floppy disk drives fail. For example, the Volume Shadow Copy service attempts to access all CD-ROM and floppy disk drives that are present on the computer when it initializes, and if the service can't access one of these drives, it fails. This condition causes the Windows Backup tool to fail if volume shadow copies were specified for the backup job. Any non-Microsoft backup products that use volume shadow copies also fail. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md index ad7e4030e3..27a5767000 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, and security considerations for ## Reference -This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators by means of the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. +This policy setting determines whether server operators can use the**at** command to submit jobs. If you enable this policy setting, jobs that are created by server operators through the **at** command run in the context of the account that runs the Task Scheduler service. By default, that is the Local System account. >**Note:**  This security option setting affects only the scheduler tool for the **at** command. It does not affect the Task Scheduler tool. -Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is the Local System account. This means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. +Enabling this policy setting means jobs that are created by server operators through the **at** command will be executed in the context of the account that is running that service—by default, that is, the Local System account. This synchronization with the local account means that server operators can perform tasks that the Local System account is able to do, but server operators would normally not be able to do, such as add their account to the local Administrators group. -The impact of enabling this policy setting should be small for most organizations. Users, including those in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. +The impact of enabling this policy setting should be small for most organizations. Users, including those users in the Server Operators group, will still be able to create jobs by using the Task Scheduler Wizard, but those jobs will run in the context of the account that the user authenticates with when setting up the job. ### Possible values @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Command-line tools @@ -88,7 +88,7 @@ Disable the **Domain controller: Allow server operators to schedule tasks** sett ### Potential impact -The impact should be small for most organizations. Users (including those in the Server Operators group) can still create jobs by means of the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. +The impact should be small for most organizations. Users (including those users in the Server Operators group) can still create jobs through the Task Scheduler snap-in. However, those jobs run in the context of the account that the user authenticates with when setting up the job. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md index 3c4bd32092..d9e51b120c 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-signing-requirements.md @@ -29,9 +29,9 @@ This article describes the best practices, location, values, and security consid This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate data signing. -Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the case of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. -This setting does not have any impact on LDAP simple bind through SSL (LDAP TCP/636). +This setting doesn't have any impact on LDAP simple bind through SSL (LDAP TCP/636). If signing is required, then LDAP simple binds not using SSL are rejected (LDAP TCP/389). @@ -39,13 +39,13 @@ If signing is required, then LDAP simple binds not using SSL are rejected (LDAP ### Possible values -- None. Data signatures are not required to bind with the server. If the client computer requests data signing, the server supports it. +- None. Data signatures aren't required to bind with the server. If the client computer requests data signing, the server supports it. - Require signature. The LDAP data-signing option must be negotiated unless Transport Layer Security/Secure Sockets Layer (TLS/SSL) is in use. - Not defined. ### Best practices -- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that do not support LDAP signing will be unable to execute LDAP queries against the domain controllers. +- We recommend that you set **Domain controller: LDAP server signing requirements** to **Require signature**. Clients that don't support LDAP signing will be unable to execute LDAP queries against the domain controllers. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Where LDAP servers are concerned, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. +Unsigned network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. ### Countermeasure @@ -86,7 +86,7 @@ Configure the **Domain controller: LDAP server signing requirements** setting to ### Potential impact -Client devices that do not support LDAP signing cannot run LDAP queries against the domain controllers. +Client devices that don't support LDAP signing can't run LDAP queries against the domain controllers. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md index d0b2f91db5..4b6f851944 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-refuse-machine-account-password-changes.md @@ -30,7 +30,7 @@ This policy setting enables or disables blocking a domain controller from accept ### Possible values -- **Enabled** When enabled, this setting does not allow a domain controller to accept any changes to a machine account's password. +- **Enabled** When enabled, this setting doesn't allow a domain controller to accept any changes to a machine account's password. - **Disabled** When disabled, this setting allows a domain controller to accept any changes to a machine account's password. @@ -38,7 +38,7 @@ This policy setting enables or disables blocking a domain controller from accept ### Best practices -- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This, in turn, leaves those passwords susceptible to attack. Make sure that this conforms to your overall security policy for the domain. +- Enabling this policy setting on all domain controllers in a domain prevents domain members from changing their machine account passwords. This prevention, in turn, leaves those passwords susceptible to attack. Ensure that this setting conforms to your overall security policy for the domain. ### Location @@ -70,7 +70,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,7 +78,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you enable this policy setting on all domain controllers in a domain, domain members cannot change their machine account passwords, and those passwords are more susceptible to attack. +If you enable this policy setting on all domain controllers in a domain, domain members can't change their machine account passwords, and those passwords are more susceptible to attack. ### Countermeasure @@ -86,7 +86,7 @@ Disable the **Domain controller: Refuse machine account password changes** setti ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md index c48680bf77..f5fe43b200 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md @@ -27,30 +27,29 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Logon information that is -transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed or encrypted. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - Domain member: Digitally encrypt or sign secure channel data (always) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) -Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a device running Windows that has joined a domain to have access to the user account database in its domain and in any trusted domains. To enable the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of signing or encrypting all secure-channel data. Enabling the **Domain member: Digitally encrypt or sign secure channel data (always)** policy setting automatically enables the [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After being connected to the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass-through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This ensures that the domain member attempts to negotiate at least signing of the secure + The policy [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) is assumed to be enabled regardless of its current setting. This enablement ensures that the domain member attempts to negotiate at least signing of the secure channel traffic. - Disabled @@ -92,7 +91,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -104,8 +103,8 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and -sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and +sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the device is configured to encrypt or sign secure channel data, when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -117,7 +116,7 @@ Select one of the following settings as appropriate for your environment to conf ### Potential impact -Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. +Digital encryption and signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md index f07984917f..920aba71a4 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md @@ -27,31 +27,31 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Logon information that is transmitted over +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be encrypted. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +In addition to this policy setting, the following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally sign secure channel data (when possible)](domain-member-digitally-sign-secure-channel-data-when-possible.md) -Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting **Domain member: Digitally encrypt or sign secure channel data (always)** to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate machine accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only logon information that is transmitted over the secure channel will be encrypted. + The domain member will request encryption of all secure channel traffic. If the domain controller supports encryption of all secure channel traffic, then all secure channel traffic will be encrypted. Otherwise, only sign-in information that is transmitted over the secure channel will be encrypted. - Disabled - The domain member will not attempt to negotiate secure channel encryption. + The domain member won't attempt to negotiate secure channel encryption. >**Note:**  If the security policy setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled, this setting will be overwritten. @@ -86,11 +86,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -Distribution of this policy through Group Policy does not override the Local Security Policy setting. +Distribution of this policy through Group Policy doesn't override the Local Security Policy setting. ## Security considerations @@ -98,7 +98,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -110,7 +110,7 @@ Select one of the following settings as appropriate for your environment to conf ### Potential impact -Digital signing of the secure channel is a good idea because it protects domain credentials as they are sent to the domain controller. +Digital signing of the secure channel is a good idea because it protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md index b75a8767d9..2083e899a8 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md @@ -27,30 +27,30 @@ Describes the best practices, location, values, and security considerations for ## Reference -This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Logon information that is transmitted over the +This setting determines whether all secure channel traffic that is initiated by the domain member meets minimum security requirements. Specifically, it determines whether all secure channel traffic that is initiated by the domain member must be signed. Sign-in information that is transmitted over the secure channel is always encrypted regardless of whether the encryption of all other secure channel traffic is negotiated. -The following policy settings determine whether a secure channel can be established with a domain controller that is not capable of signing or encrypting secure channel traffic: +The following policy settings determine whether a secure channel can be established with a domain controller that isn't capable of signing or encrypting secure channel traffic: - [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) - [Domain member: Digitally encrypt secure channel data (when possible)](domain-member-digitally-encrypt-secure-channel-data-when-possible.md) - Domain member: Digitally sign secure channel data (when possible) -Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that cannot sign or encrypt all secure channel data. +Setting [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) to **Enabled** prevents establishing a secure channel with any domain controller that can't sign or encrypt all secure channel data. -To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. +To protect authentication traffic from man-in-the-middle, replay, and other types of network attacks, Windows-based computers create a communication channel through NetLogon called secure channels. These channels authenticate computer accounts. They also authenticate user accounts when a remote user connects to a network resource and the user account exists in a trusted domain. This authentication is called pass-through authentication, and it allows a computer running the Windows operating system that has joined a domain to have access to the user account database in its domain and in any trusted domains. Enabling the [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) policy setting automatically enables the **Domain member: Digitally sign secure channel data (when possible)** policy setting. -When a device joins a domain, a machine account is created. After joining the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel is not checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel cannot be established with a domain controller that is not capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After the device is joined with the domain, it uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. This secure channel is used to perform operations such as NTLM pass through authentication and LSA SID/name Lookup. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the integrity of the channel isn't checked, and not all information is encrypted. If a system is set to always encrypt or sign secure channel data, a secure channel can't be established with a domain controller that isn't capable of signing or encrypting all secure channel traffic. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Possible values - Enabled - The domain member will request signing of all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it cannot be tampered with in transit. + The domain member will request to sign all secure channel traffic. If the domain controller supports signing of all secure channel traffic, then all secure channel traffic will be signed which ensures that it can't be tampered with in transit. - Disabled - Signing will not be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. + Signing won't be negotiated unless the policy [Domain member: Digitally encrypt or sign secure channel data (always)](domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md) is enabled. - Not defined @@ -84,11 +84,11 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy -Distribution of this policy through Group Policy does not override the Local Security Policy setting. +Distribution of this policy through Group Policy doesn't override the Local Security Policy setting. ## Security considerations @@ -96,7 +96,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel is not integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller cannot sign or encrypt any portion of the secure channel data, the computer and domain controller cannot establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. +When a device joins a domain, a machine account is created. After it joins the domain, the device uses the password for that account to create a secure channel with the domain controller for its domain every time it restarts. Requests that are sent on the secure channel are authenticated—and sensitive information such as passwords are encrypted—but the channel isn't integrity-checked, and not all information is encrypted. If a device is configured to always encrypt or sign secure channel data but the domain controller can't sign or encrypt any portion of the secure channel data, the computer and domain controller can't establish a secure channel. If the computer is configured to encrypt or sign secure channel data when possible, a secure channel can be established, but the level of encryption and signing is negotiated. ### Countermeasure @@ -108,7 +108,7 @@ Because these policies are closely related and useful depending on your environm ### Potential impact -Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they are sent to the domain controller. +Digital signing of the secure channel is a good idea because the secure channel protects domain credentials as they're sent to the domain controller. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md index 8c85b1ecee..6127a9b87f 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-disable-machine-account-password-changes.md @@ -39,12 +39,12 @@ Verify that the **Domain member: Disable machine account password changes** opti ### Best practices -1. Do not enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it is established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. -2. Do not use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices do not have to be rejoined to the domain. -3. You may want to consider using this policy setting in specific environments, such as the following: +1. Don't enable this policy setting. Machine account passwords are used to establish secure channel communications between members and domain controllers and between the domain controllers within the domain. After it's established, the secure channel transmits sensitive information that is necessary for making authentication and authorization decisions. +2. Don't use this policy setting to try to support dual-boot scenarios that use the same machine account. If you want to configure dual-boot installations that are joined to the same domain, give the two installations different computer names. This policy setting was added to the Windows operating system to help organizations that stockpile pre-built computers that are put into production months later. Those devices don't have to be rejoined to the domain. +3. You may want to consider using this policy setting in specific environments, such as the following ones: - Non-persistent Virtual Desktop Infrastructure implementations. In such implementations, each session starts from a read-only base image. - - Embedded devices that do not have write access to the OS volume. + - Embedded devices that don't have write access to the OS volume. In either case, a password change that was made during normal operations would be lost as soon as the session ends. We strongly recommend that you plan password changes for maintenance windows. Add the password changes to the updates and modifications that Windows performs during maintenance windows. To trigger a password update on a specific OS volume, run the following command: @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability By default, devices running Windows Server that belong to a domain automatically change their passwords for their accounts every certain number of days, typically 30. If you disable this policy setting, devices that run Windows Server retain the same passwords as their machine accounts. Devices -that cannot automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. +that can't automatically change their account password are at risk from an attacker who could determine the password for the machine's domain account. ### Countermeasure @@ -94,7 +94,7 @@ Verify that the **Domain member: Disable machine account password changes** sett ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics From 1be5f7b0e96e9d0111ed8afe7ab8ecbc41eb07a8 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 24 Jun 2022 18:11:03 +0530 Subject: [PATCH 07/77] Acrolinx Enhancement Effort --- ...er-maximum-machine-account-password-age.md | 8 ++--- ...trong-windows-2000-or-later-session-key.md | 12 +++---- ...r-accounts-to-be-trusted-for-delegation.md | 8 ++--- .../enforce-password-history.md | 14 ++++---- .../enforce-user-logon-restrictions.md | 8 ++--- .../increase-a-process-working-set.md | 4 +-- ...-information-when-the-session-is-locked.md | 36 +++++++++---------- ...ive-logon-do-not-display-last-user-name.md | 18 +++++----- ...ctive-logon-do-not-require-ctrl-alt-del.md | 20 +++++------ ...-logon-dont-display-username-at-sign-in.md | 10 +++--- ...logon-machine-account-lockout-threshold.md | 12 +++---- ...eractive-logon-machine-inactivity-limit.md | 2 +- ...age-text-for-users-attempting-to-log-on.md | 20 +++++------ ...ge-title-for-users-attempting-to-log-on.md | 14 ++++---- ...case-domain-controller-is-not-available.md | 30 ++++++++-------- ...er-authentication-to-unlock-workstation.md | 16 ++++----- .../kerberos-policy.md | 2 +- .../load-and-unload-device-drivers.md | 12 +++---- .../lock-pages-in-memory.md | 6 ++-- .../log-on-as-a-batch-job.md | 4 +-- .../manage-auditing-and-security-log.md | 9 +++-- .../maximum-lifetime-for-service-ticket.md | 14 ++++---- ...aximum-lifetime-for-user-ticket-renewal.md | 8 ++--- .../maximum-lifetime-for-user-ticket.md | 8 ++--- .../maximum-password-age.md | 10 +++--- 25 files changed, 152 insertions(+), 153 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md index 7a5f2b3e94..7eb431cb17 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md @@ -43,7 +43,7 @@ For more information, see [Machine Account Password Process](https://techcommuni ### Best practices -We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. +We recommend that you set **Domain member: Maximum machine account password age** to about 30 days. Setting the value to fewer days can increase replication and affect domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The extra replication churn would affect domain controllers in large organizations that have many computers or slow links between sites. ### Location @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -76,7 +76,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -By default, the domain members submit a password change every 30 days. If you increase this interval significantly so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. +By default, the domain members submit a password change every 30 days. If you increase this interval so that the computers no longer submit a password change, an attacker has more time to undertake a brute-force attack to guess the password of one or more computer accounts. ### Countermeasure @@ -84,7 +84,7 @@ Configure the **Domain member: Maximum machine account password age** setting to ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics - [Security Options](security-options.md) diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md index 24cdd01bd2..1d7f2049d2 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md +++ b/windows/security/threat-protection/security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, and security considerations for ## Reference -The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that is not capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that cannot encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. +The **Domain member: Require strong (Windows 2000 or later) session key** policy setting determines whether a secure channel can be established with a domain controller that isn't capable of encrypting secure channel traffic with a strong, 128-bit session key. Enabling this policy setting prevents establishing a secure channel with any domain controller that can't encrypt secure channel data with a strong key. Disabling this policy setting allows 64-bit session keys. Whenever possible, you should take advantage of these stronger session keys to help protect secure channel communications from eavesdropping and session-hijacking network attacks. Eavesdropping is a form of hacking in which network data is read or altered in transit. The data can be modified to hide or change the name of the sender, or it can be redirected. @@ -35,7 +35,7 @@ Whenever possible, you should take advantage of these stronger session keys to h - Enabled - When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This means that all such domain controllers must be running at least Windows 2000 Server. + When enabled on a member workstation or server, all domain controllers in the domain that the member belongs to must be capable of encrypting secure channel data with a strong, 128-bit key. This capability means that all such domain controllers must be running at least Windows 2000 Server. - Disabled @@ -45,7 +45,7 @@ Whenever possible, you should take advantage of these stronger session keys to h ### Best practices -- It is advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. +- It's advisable to set **Domain member: Require strong (Windows 2000 or later) session key** to Enabled. Enabling this policy setting ensures that all outgoing secure channel traffic will require a strong encryption key. Disabling this policy setting requires that key strength be negotiated. Only enable this option if the domain controllers in all trusted domains support strong keys. By default, this value is disabled. ### Location @@ -73,13 +73,13 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy Misuse of this policy setting is a common error that can cause data loss or problems with data access or security. -You will you be able to join devices that do not support this policy setting to domains where the domain controllers have this policy setting enabled. +You'll you be able to join devices that don't support this policy setting to domains where the domain controllers have this policy setting enabled. ## Security considerations @@ -99,7 +99,7 @@ If you enable this policy setting, all outgoing secure channel traffic requires ### Potential impact -Devices that do not support this policy setting cannot join domains in which the domain controllers have this policy setting enabled. +Devices that don't support this policy setting can't join domains in which the domain controllers have this policy setting enabled. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md index d60d7b9568..464033d694 100644 --- a/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md +++ b/windows/security/threat-protection/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md @@ -28,7 +28,7 @@ Describes the best practices, location, values, policy management, and security ## Reference This policy setting determines which users can set the **Trusted for Delegation** setting on a user or computer object. -Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. +Security account delegation enables connection to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers. It allows a public-facing service to use client credentials to authenticate to an application or database service. For this configuration to be possible, the client and the server must run under accounts that are trusted for delegation. Only administrators who have the **Enable computer and user accounts to be trusted for delegation** credential can set up delegation. Domain admins and Enterprise admins have this credential. The procedure to allow a user to be trusted for delegation depends on the functionality level of the domain. @@ -43,7 +43,7 @@ Constant: SeEnableDelegationPrivilege ### Best practices -- There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone devices. +- There's no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It's only relevant on domain controllers and stand-alone devices. ### Location @@ -68,7 +68,7 @@ This section describes features, tools and guidance to help you manage this poli Modifying this setting might affect compatibility with clients, services, and applications. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -99,7 +99,7 @@ after a security incident. ### Countermeasure -The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there is a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. +The **Enable computer and user accounts to be trusted for delegation** user right should be assigned only if there's a clear need for its functionality. When you assign this right, you should investigate the use of constrained delegation to control what the delegated accounts can do. On domain controllers, this right is assigned to the Administrators group by default. >**Note:**  There is no reason to assign this user right to anyone on member servers and workstations that belong to a domain because it has no meaning in those contexts. It is only relevant on domain controllers and stand-alone computers. diff --git a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md index e32f558d6c..97d3791815 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-password-history.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-password-history.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security The **Enforce password history** policy setting determines the number of unique new passwords that must be associated with a user account before an old password can be reused. Password reuse is an important concern in any organization. Many users want to reuse the same password for their account over a long period of time. The longer the same password is used for a particular account, the greater the chance that an attacker will be able to determine the password through brute force attacks. If users are required to change their password, but they can reuse an old password, the effectiveness of a good password policy is greatly reduced. -Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you do not also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. +Specifying a low number for **Enforce password history** allows users to continually use the same small number of passwords repeatedly. If you don't also set [Minimum password age](minimum-password-age.md), users can change their password as many times in a row as necessary to reuse their original password. ### Possible values @@ -39,9 +39,9 @@ Specifying a low number for **Enforce password history** allows users to continu ### Best practices -- Set **Enforce password history** to 24. This will help mitigate vulnerabilities that are caused by password reuse. +- Set **Enforce password history** to 24. This setting will help mitigate vulnerabilities that are caused by password reuse. - Set [Maximum password age](maximum-password-age.md) to expire passwords between 60 and 90 days. Try to expire the passwords between major business cycles to prevent work loss. -- Configure [Minimum password age](minimum-password-age.md) so that you do not allow passwords to be changed immediately. +- Configure [Minimum password age](minimum-password-age.md) so that you don't allow passwords to be changed immediately. ### Location @@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -74,9 +74,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced. +The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse isn't prevented, or if users continually reuse a few passwords, the effectiveness of a good password policy is greatly reduced. -If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you do not also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. +If you specify a low number for this policy setting, users can use the same small number of passwords repeatedly. If you don't also configure the [Minimum password age](minimum-password-age.md) policy setting, users might repeatedly change their passwords until they can reuse their original password. >**Note:**  After an account has been compromised, a simple password reset might not be enough to restrict a malicious user because the malicious user might have modified the user's environment so that the password is changed back to a known value automatically at a certain time. If an account has been compromised, it is best to delete the account and assign the user a new account after all affected systems have been restored to normal operations and verified that they are no longer compromised. @@ -88,7 +88,7 @@ For this policy setting to be effective, you should also configure effective val ### Potential impact -The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but this makes them easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. +The major impact of configuring the **Enforce password history** setting to 24 is that users must create a new password every time they're required to change their old one. If users are required to change their passwords to new unique values, there's an increased risk of users who write their passwords somewhere so that they don't forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization, but these passwords make it easier for an attacker to guess. Also, an excessively low value for the [Maximum password age](maximum-password-age.md) policy setting is likely to increase administrative overhead because users who forget their passwords might ask the Help Desk to reset them frequently. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md index c1b6e0c09e..5198399434 100644 --- a/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md +++ b/windows/security/threat-protection/security-policy-settings/enforce-user-logon-restrictions.md @@ -37,9 +37,9 @@ The possible values for this Group Policy setting are: ### Best practices -- If this policy setting is disabled, users might be granted session tickets for services that they do not have the right to use. +- If this policy setting is disabled, users might be granted session tickets for services that they don't have the right to use. - We recommend to set **Enforce user logon restrictions** to Enabled. + We recommend setting **Enforce user logon restrictions** to Enabled. ### Location @@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. ### Group Policy @@ -91,7 +91,7 @@ Enable the **Enforce user logon restrictions** setting. ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md index f6eda6e23e..c9c6d11852 100644 --- a/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md +++ b/windows/security/threat-protection/security-policy-settings/increase-a-process-working-set.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they are available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. +This policy setting determines which users can increase or decrease the size of the working set of a process. The working set of a process is the set of memory pages currently visible to the process in physical RAM. These pages are resident, and they're available for an application to use without triggering a page fault. The minimum and maximum working set sizes affect the virtual memory paging behavior of a process. Constant: SeIncreaseWorkingSetPrivilege @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md index 7c5ca6c4a7..a54c5e93d9 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md @@ -44,9 +44,9 @@ This setting has these possible values: - **User display name, domain and user names** - For a local logon, the user's full name is displayed. + For a local sign in, the user's full name is displayed. If the user signed in using a Microsoft account, the user's email address is displayed. - For a domain logon, the domain\username is displayed. + For a domain sign in, the domain\username is displayed. This setting has the same effect as turning on the **Privacy** setting. - **User display name only** @@ -57,30 +57,30 @@ This setting has these possible values: - **Do not display user information** No names are displayed. - Beginning with Windows 10 version 1607, this option is not supported. + Beginning with Windows 10 version 1607, this option isn't supported. If this option is chosen, the full name of the user who locked the session is displayed instead. This change makes this setting consistent with the functionality of the new **Privacy** setting. To display no user information, enable the Group Policy setting **Interactive logon: Don't display last signed-in**. - **Domain and user names only** - For a domain logon only, the domain\username is displayed. + For a domain sign in only, the domain\username is displayed. The **Privacy** setting is automatically on and grayed out. - **Blank** Default setting. This setting translates to “Not defined,” but it will display the user's full name in the same manner as the option **User display name only**. - When an option is set, you cannot reset this policy to blank, or not defined. + When an option is set, you can't reset this policy to blank, or not defined. ### Hotfix for Windows 10 version 1607 -Clients that run Windows 10 version 1607 will not show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. +Clients that run Windows 10 version 1607 won't show details on the sign-in screen even if the **User display name, domain and user names** option is chosen because the **Privacy** setting is off. If the **Privacy** setting is turned on, details will show. -The **Privacy** setting cannot be changed for clients in bulk. +The **Privacy** setting can't be changed for clients in bulk. Instead, apply [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) to clients that run Windows 10 version 1607 so they behave similarly to previous versions of Windows. -Clients that run later versions of Windows 10 do not require a hotfix. +Clients that run later versions of Windows 10 don't require a hotfix. There are related Group Policy settings: @@ -93,19 +93,19 @@ There are related Group Policy settings: For all versions of Windows 10, only the user display name is shown by default. If **Block user from showing account details on sign-in** is enabled, then only the user display name is shown regardless of any other Group Policy settings. -Users will not be able to show details. +Users won't be able to show details. -If **Block user from showing account details on sign-in** is not enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show additional details such as domain\username. +If **Block user from showing account details on sign-in** isn't enabled, then you can set **Interactive logon: Display user information when the session is locked** to **User display name, domain and user names** or **Domain and user names only** to show other details such as domain\username. In this case, clients that run Windows 10 version 1607 need [KB 4013429](https://www.catalog.update.microsoft.com/Search.aspx?q=KB4013429) applied. -Users will not be able to hide additional details. +Users won't be able to hide other details. -If **Block user from showing account details on sign-in** is not enabled and **Don’t display last signed-in** is enabled, the username will not be shown. +If **Block user from showing account details on sign-in** isn't enabled and **Don’t display last signed-in** is enabled, the username won't be shown. ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed sign-in information. If you run computers that store sensitive data, with monitors displayed in unsecured locations, or if you have computers with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. -Depending on your security policy, you might also want to enable the [Interactive logon: Do not display last user name](interactive-logon-do-not-display-last-user-name.md) policy. +Depending on your security policy, you might also want to enable the [Interactive logon: Don't display last user name](interactive-logon-do-not-display-last-user-name.md) policy. ### Location @@ -128,7 +128,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -136,7 +136,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -148,9 +148,9 @@ When a computer displays the Secure Desktop in an unsecured area, certain user i ### Countermeasure -Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the logon tiles are displayed for each logged on user. +Enabling this policy setting allows the operating system to hide certain user information from being displayed on the Secure Desktop (after the device has been booted or when the session has been locked by using CTRL+ALT+DEL). However, user information is displayed if the **Switch user** feature is used so that the sign-in tiles are displayed for each signed-in user. -You might also want to enable the [Interactive logon: Do not display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the logon name and logon tile of the last user to log on. +You might also want to enable the [Interactive logon: Don't display last signed-in](interactive-logon-do-not-display-last-user-name.md) policy, which will prevent the Windows operating system from displaying the sign-in name and sign-in tile of the last user to sign in. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md index 9994a60f7e..47bac4e4cc 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-display-last-user-name.md @@ -1,6 +1,6 @@ --- title: Interactive logon Don't display last signed-in (Windows 10) -description: Describes the best practices, location, values, and security considerations for the Interactive logon Do not display last user name security policy setting. +description: Describes the best practices, location, values, and security considerations for the Interactive logon Don't display last user name security policy setting. ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library @@ -26,11 +26,11 @@ Describes the best practices, location, values, and security considerations for ## Reference -This security policy setting determines whether the name of the last user to log on to the device is displayed on the Secure Desktop. +This security policy setting determines whether the name of the last user to sign in to the device is displayed on the Secure Desktop. -If this policy is enabled, the full name of the last user to successfully log on is not displayed on the Secure Desktop, nor is the user’s logon tile displayed. Additionally, if the **Switch user** feature is used, the full name and logon tile are not displayed. The logon screen requests a qualified domain account name (or local user name) and password. +If this policy is enabled, the full name of the last user to successfully sign in isn't displayed on the Secure Desktop, nor is the user’s sign-in tile displayed. Additionally, if the **Switch user** feature is used, the full name and sign-in tile aren't displayed. The sign-in screen requests a qualified domain account name (or local user name) and password. -If this policy is disabled, the full name of the last user to log on is displayed, and the user’s logon tile is displayed. This behavior is the same when the **Switch user** feature is used. +If this policy is disabled, the full name of the last user to sign in is displayed, and the user’s sign-in tile is displayed. This behavior is the same when the **Switch user** feature is used. ### Possible values @@ -40,7 +40,7 @@ If this policy is disabled, the full name of the last user to log on is displaye ### Best practices -Your implementation of this policy depends on your security requirements for displayed logon information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. +Your implementation of this policy depends on your security requirements for displayed sign-in information. If you have devices that store sensitive data, with monitors displayed in unsecured locations, or if you have devices with sensitive data that are remotely accessed, revealing logged on user’s full names or domain account names might contradict your overall security policy. ### Location @@ -63,7 +63,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -71,7 +71,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -79,7 +79,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in. ### Countermeasure @@ -87,7 +87,7 @@ Enable the **Interactive logon: Do not display last user name** setting. ### Potential impact -Users must always type their user names and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. +Users must always type their user names and passwords when they sign in locally or to the domain. The sign-in tiles of all logged on users aren't displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md index 4131998946..3594cd303d 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md @@ -26,15 +26,15 @@ Describes the best practices, location, values, and security considerations for ## Reference -This security setting determines whether pressing CTRL+ALT+DEL is required before a user can log on. +This security setting determines whether pressing CTRL+ALT+DEL is required before a user can sign in. -If this policy setting is enabled on a device, a user is not required to press CTRL+ALT+DEL to log on. +If this policy setting is enabled on a device, a user isn't required to press CTRL+ALT+DEL to sign in. -If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they are using a smart card for logon). +If this policy is disabled, any user is required to press CTRL+ALT+DEL before logging on to the Windows operating system (unless they're using a smart card for signing in). -Microsoft developed this feature to make it easier for users with certain types of physical impairments to log on to device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users log on ensures that users are communicating by means of a trusted path when entering their passwords. +Microsoft developed this feature to make it easier for users with certain types of physical impairments to sign in to a device running the Windows operating system; however, not having to press the CTRL+ALT+DELETE key combination leaves users susceptible to attacks that attempt to intercept their passwords. Requiring CTRL+ALT+DELETE before users sign in ensures that users are communicating through a trusted path when entering their passwords. -A malicious user might install malware that looks like the standard logon dialog box for the Windows operating system, and capture a user's password. The attacker can then log on to the compromised account with whatever level of user rights that user has. +A malicious user might install malware that looks like the standard sign-in dialog box for the Windows operating system, and capture a user's password. The attacker can then sign in to the compromised account with whatever level of user rights that user has. ### Possible values @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -77,7 +77,7 @@ Beginning with Windows Server 2008 and Windows Vista, the CTRL+ALT+DELETE key ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -85,9 +85,9 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -This setting makes it easier for users with certain types of physical impairments to log on to devices that run the Windows operating system. However, if users are not required to press CTRL+ALT+DEL, they are susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before logon, user passwords are communicated by means of a trusted path. +This setting makes it easier for users with certain types of physical impairments to sign in to devices that run the Windows operating system. However, if users aren't required to press CTRL+ALT+DEL, they're susceptible to attacks that attempt to intercept their passwords. If CTRL+ALT+DEL is required before signing in, user passwords are communicated through a trusted path. -If this setting is enabled, an attacker could install malware that looks like the standard logon dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to log on to the compromised account with whatever level of privilege that user has. +If this setting is enabled, an attacker could install malware that looks like the standard sign-in dialog box in the Windows operating system, and capture the user's password. The attacker would then be able to sign in to the compromised account with whatever level of privilege that user has. ### Countermeasure @@ -95,7 +95,7 @@ Disable the **Interactive logon: Do not require CTRL+ALT+DEL** setting. ### Potential impact -Unless they use a smart card to log on, users must simultaneously press the three keys before the logon dialog box is displayed. +Unless they use a smart card to sign in, users must simultaneously press the three keys before the sign-in dialog box is displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md index e0431252ef..2fd2510de4 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md @@ -29,7 +29,7 @@ Describes the best practices, location, values, and security considerations for A new policy setting has been introduced in Windows 10 starting with Windows 10 version 1703. This security policy setting determines whether the username is displayed during sign in. This setting only affects the **Other user** tile. -If the policy is enabled and a user signs in as **Other user**, the full name of the user is not displayed during sign-in. In the same context, if users type their email address and password at the sign in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name is not shown until the Start screen displays. +If the policy is enabled and a user signs in as **Other user**, the full name of the user isn't displayed during sign-in. In the same context, if users type their email address and password at the sign-in screen and press **Enter**, the displayed text “Other user” remains unchanged, and is no longer replaced by the user’s first and last name, as in previous versions of Windows 10. Additionally,if users enter their domain user name and password and click **Submit**, their full name isn't shown until the Start screen displays. If the policy is disabled and a user signs in as **Other user**, the “Other user” text is replaced by the user’s first and last name during sign-in. @@ -64,7 +64,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -72,7 +72,7 @@ None. ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -80,7 +80,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to log on. +An attacker with access to the console (for example, someone with physical access or someone who can connect to the device through Remote Desktop Session Host) could view the name of the last user who logged on. The attacker could then try to guess the password, use a dictionary, or use a brute-force attack to try to sign in. ### Countermeasure @@ -88,7 +88,7 @@ Enable the **Interactive logon: Don't display user name at sign-in** setting. ### Potential impact -Users must always type their usernames and passwords when they log on locally or to the domain. The logon tiles of all logged on users are not displayed. +Users must always type their usernames and passwords when they log on locally or to the domain. The sign in tiles of all logged on users aren't displayed. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md index e9a1fea0ae..148956b0f3 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-account-lockout-threshold.md @@ -29,9 +29,9 @@ Describes the best practices, location, values, management, and security conside Beginning with Windows Server 2012 and Windows 8, the **Interactive logon: Machine account threshold** security policy setting enforces the lockout policy on those computers that have BitLocker enabled to protect operating system volumes. -The security setting allows you to set a threshold for the number of failed logon attempts that causes the device to be locked by using BitLocker. This means, if the specified maximum number of failed logon attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. +The security setting allows you to set a threshold for the number of failed sign-in attempts that causes the device to be locked by using BitLocker. This threshold means, if the specified maximum number of failed sign-in attempts is exceeded, the device will invalidate the Trusted Platform Module (TPM) protector and any other protector except the 48-digit recovery password, and then reboot. During Device Lockout mode, the computer or device only boots into the touch-enabled Windows Recovery Environment (WinRE) until an authorized user enters the recovery password to restore full access. -Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed logon attempts. +Failed password attempts on workstations or member servers that have been locked by using either Ctrl+Alt+Delete or password-protected screen savers count as failed sign-in attempts. ### Possible values @@ -39,7 +39,7 @@ You can set the **invalid logon attempts** value between 1 and 999. Values from ### Best practices -Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. +Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. ### Location @@ -64,13 +64,13 @@ This section describes features and tools that are available to help you manage ### Restart requirement -A restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. +A restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy. ### Group Policy Because this policy setting was introduced in Windows Server 2012 and Windows 8, it can only be set locally on those devices that contain this policy setting, but it can be set and distributed through Group Policy to any computer running the Windows operating system that supports Group Policy and is BitLocker-enabled. -When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed logon attempts that will cause a user account to be locked out. +When setting this policy, consider the [Account lockout threshold](account-lockout-threshold.md) policy setting, which determines the number of failed sign-in attempts that will cause a user account to be locked out. ## Security considerations @@ -82,7 +82,7 @@ This policy setting helps protect a BitLocker-encrypted device from attackers at ### Countermeasure -Use this policy setting in conjunction with your other failed account logon attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. +Use this policy setting in conjunction with your other failed account sign-in attempts policy. For example, if the [Account lockout threshold](account-lockout-threshold.md) policy setting is set at 4, then setting **Interactive logon: Machine account lockout threshold** at 6 allows the user to restore access to resources without having to restore access to the device resulting from a BitLocker lock out. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md index 737bfddba3..01524c765c 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-machine-inactivity-limit.md @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -Restart is required for changes to this policy to become effective when they are saved locally or distributed through Group Policy. +Restart is required for changes to this policy to become effective when they're saved locally or distributed through Group Policy. ### Group Policy diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index ec72b350f1..55437fb4e1 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -30,13 +30,13 @@ Describes the best practices, location, values, management, and security conside The **Interactive logon: Message text for users attempting to log on** and [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) policy settings are closely related. -**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they log on. +**Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons — for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. -When these policy settings are configured, users will see a dialog box before they can log on to the server console. +When these policy settings are configured, users will see a dialog box before they can sign in to the server console. ### Possible values @@ -47,10 +47,10 @@ The possible values for this setting are: ### Best practices -- It is advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: +- It's advisable to set **Interactive logon: Message text for users attempting to log on** to a value similar to one of the following: 1. IT IS AN OFFENSE TO CONTINUE WITHOUT PROPER AUTHORIZATION. - 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you are unauthorized, terminate access now. Click OK to indicate your acceptance of this information. + 2. This system is restricted to authorized users. Individuals who attempt unauthorized access will be prosecuted. If you're unauthorized, terminate access now. Click OK to indicate your acceptance of this information. > [!IMPORTANT] > Any warning that you display in the title or text should be approved by representatives from your organization's legal and human resources departments. @@ -77,22 +77,22 @@ This section describes different requirements to help you manage this policy. ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -There are two policy settings that relate to logon displays: +There are two policy settings that relate to sign-in displays: - **Interactive logon: Message text for users attempting to log on** - [Interactive logon: Message title for users attempting to log on](interactive-logon-message-title-for-users-attempting-to-log-on.md) -The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. +The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. ### Vulnerability -Users often do not understand the importance of security practices. However, the display of a warning message before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. +Users often don't understand the importance of security practices. However, the display of a warning message before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process. ### Countermeasure @@ -100,7 +100,7 @@ Configure the **Interactive logon: Message text for users attempting to log on** ### Potential impact -Users see a message in a dialog box before they can log on to the server console. +Users see a message in a dialog box before they can sign in to the server console. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index e5f5ce5eb8..ee32c91b18 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -33,7 +33,7 @@ The **Interactive logon: Message title for users attempting to log on** and [Int Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. -When these policy settings are configured, users will see a dialog box before they can log on to the server console. +When these policy settings are configured, users will see a dialog box before they can sign in the server console. ### Possible values @@ -42,7 +42,7 @@ When these policy settings are configured, users will see a dialog box before th ### Best practices -1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: +1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following values: - RESTRICTED SYSTEM @@ -75,22 +75,22 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. -There are two policy settings that relate to logon displays: +There are two policy settings that relate to sign-in displays: - [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) - **Interactive logon: Message title for users attempting to log on** -The first policy setting specifies a text message that displays to users when they log on, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. +The first policy setting specifies a text message that displays to users when they sign in, and the second policy setting specifies a title for the title bar of the text message window. Many organizations use this text for legal purposes; for example, to warn users about the ramifications of misuse of company information, or to warn them that their actions may be audited. ### Vulnerability -Users often do not understand the importance of security practices. However, the display of a warning message with an appropriate title before logon may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the logon process. +Users often don't understand the importance of security practices. However, the display of a warning message with an appropriate title before signing in may help prevent an attack by warning malicious or uninformed users about the consequences of their misconduct before it happens. It may also help reinforce corporate policies by notifying employees of appropriate policies during the sign-in process. ### Countermeasure @@ -100,7 +100,7 @@ Configure the [Interactive logon: Message text for users attempting to log on](i ### Potential impact -Users see a message in a dialog box before they can log on to the server console. +Users see a message in a dialog box before they can sign in to the server console. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md index 90773e0b18..966a3f3c4e 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md @@ -27,19 +27,19 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can log on to a Windows domain by using cached account information. Logon information for domain accounts can be cached locally so that, if a domain controller cannot be contacted on subsequent logons, a user can still log on. This policy setting determines the number of unique users whose logon information is cached locally. +The **Interactive logon: Number of previous logons to cache (in case domain controller is not available**) policy setting determines whether a user can sign in to a Windows domain by using cached account information. Sign-in information for domain accounts can be cached locally so that, if a domain controller can't be contacted on subsequent logons, a user can still sign in. This policy setting determines the number of unique users whose sign-in information is cached locally. -If a domain controller is unavailable and a user's logon information is cached, the user is prompted with the following message: +If a domain controller is unavailable and a user's sign-in information is cached, the user is prompted with the following message: -A domain controller for your domain could not be contacted. You have been logged on using cached account information. Changes to your profile since you last logged on might not be available. +A domain controller for your domain couldn't be contacted. You've been logged on using cached account information. Changes to your profile since you last logged on might not be available. -If a domain controller is unavailable and a user's logon information is not cached, the user is prompted with this message: +If a domain controller is unavailable and a user's sign-in information isn't cached, the user is prompted with this message: -The system cannot log you on now because the domain *DOMAIN NAME* is not available. +The system can't log you on now because the domain *DOMAIN NAME* isn't available. -The value of this policy setting indicates the number of users whose logon information the server caches locally. If the value is 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. +The value of this policy setting indicates the number of users whose sign-in information the server caches locally. If the value is 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session. -Users who access the server console will have their logon credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by +Users who access the server console will have their sign-in credentials cached on that server. A malicious user who is able to access the file system of the server can locate this cached information and use a brute-force attack to determine user passwords. Windows mitigates this type of attack by encrypting the information and keeping the cached credentials in the system's registries, which are spread across numerous physical locations. > [!NOTE] @@ -52,7 +52,7 @@ encrypting the information and keeping the cached credentials in the system's re ### Best practices -The [Windows security baselines](../windows-security-baselines.md) do not recommend configuring this setting. +The [Windows security baselines](../windows-security-baselines.md) don't recommend configuring this setting. ### Location @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -85,7 +85,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -93,20 +93,20 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -The number that is assigned to this policy setting indicates the number of users whose logon information is cache locally by the servers. If the number is set to 10, the server caches logon information for 10 users. When an 11th user logs on to the device, the server overwrites the oldest cached logon session. +The number that is assigned to this policy setting indicates the number of users whose sign-in information is cached locally by the servers. If the number is set to 10, the server caches sign-in information for 10 users. When an 11th user signs in to the device, the server overwrites the oldest cached sign-in session. -Users who access the server console have their logon credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. +Users who access the server console have their sign-in credentials cached on that server. An attacker who is able to access the file system of the server could locate this cached information and use a brute force attack to attempt to determine user passwords. To mitigate this type of attack, Windows encrypts the information and obscures its physical location. ### Countermeasure -Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of logon information. Additional countermeasures include enforcement of strong password policies and physically secure locations for the computers. +Configure the **Interactive logon: Number of previous logons to cache (in case domain controller is not available)** setting to 0, which disables the local caching of sign-in information. Other countermeasures include enforcement of strong password policies and physically secure locations for the computers. ### Potential impact -Users cannot log on to any devices if there is no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's logon information is still in the cache, even if a -member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to log on to their computers when they are not connected to the organization's network. +Users can't sign in to any devices if there's no domain controller available to authenticate them. Organizations can configure this value to 2 for end-user computers, especially for mobile users. A configuration value of 2 means that the user's sign-in information is still in the cache, even if a +member of the IT department has recently logged on to the device to perform system maintenance. This method allows users to sign in to their computers when they aren't connected to the organization's network. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md index 88948dcc4f..be5146c636 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md @@ -27,13 +27,13 @@ Describes the best practices, location, values, policy management, and security ## Reference -Unlocking a locked device requires logon information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it is necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the logon information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. +Unlocking a locked device requires sign-in information. For domain accounts, the **Interactive logon: Require Domain Controller authentication to unlock workstation** policy setting determines whether it's necessary to contact a domain controller to unlock a device. Enabling this policy setting requires a domain controller to authenticate the domain account that is being used to unlock the device. Disabling this policy setting allows a user to unlock the device without the computer verifying the sign-in information with a domain controller. However, if [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) is set to a value greater than zero, the user's cached credentials will be used to unlock the system. The device caches (locally in memory) the credentials of any users who have been authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. -When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) are not considered or applied after this authentication process. This means not only that user rights are not updated, but more importantly that disabled accounts are still able to unlock the console of the system. +When cached credentials are used, any changes that have recently been made to the account (such as user rights assignments, account lockout, or the account being disabled) aren't considered or applied after this authentication process. This result means not only that user rights aren't updated, but more importantly that disabled accounts are still able to unlock the console of the system. -It is advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. +It's advisable to set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices. ### Possible values @@ -43,7 +43,7 @@ It is advisable to set **Interactive logon: Require Domain Controller authentica ### Best practices -- Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their devices. +- Set **Interactive logon: Require Domain Controller authentication to unlock workstation** to Enabled and set [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) to 0. When the console of a device is locked by a user or automatically by a screen saver time-out, the console can only be unlocked if the user is able to reauthenticate to the domain controller. If no domain controller is available, users can't unlock their devices. ### Location @@ -68,7 +68,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Policy conflict considerations @@ -76,7 +76,7 @@ None ### Group Policy -This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy is not contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. +This policy setting can be configured by using the Group Policy Management Console (GPMC) to be distributed through Group Policy Objects (GPOs). If this policy isn't contained in a distributed GPO, this policy can be configured on the local computer by using the Local Security Policy snap-in. ## Security considerations @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—are not considered or applied after the account is authenticated. User privileges are not updated, and disabled accounts are still able to unlock the console of the device +By default, the device caches locally in memory the credentials of any users who are authenticated. The device uses these cached credentials to authenticate anyone who attempts to unlock the console. When cached credentials are used, any changes that have recently been made to the account—such as user rights assignments, account lockout, or the account being disabled—aren't considered or applied after the account is authenticated. User privileges aren't updated, and disabled accounts are still able to unlock the console of the device ### Countermeasure @@ -92,7 +92,7 @@ Configure the **Interactive logon: Require Domain Controller authentication to u ### Potential impact -When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can re-authenticate to the domain controller. If no domain controller is available, users cannot unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) cannot log on. +When the console on a device is locked by a user or automatically by a screen-saver timeout, the console can be unlocked only if the user can reauthenticate to the domain controller. If no domain controller is available, users can't unlock their workstations. If you configure the [Interactive logon: Number of previous logons to cache (in case domain controller is not available)](interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md) setting to 0, users whose domain controllers are unavailable (such as mobile or remote users) can't sign in. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md index 50e612ee9a..959ced7fdc 100644 --- a/windows/security/threat-protection/security-policy-settings/kerberos-policy.md +++ b/windows/security/threat-protection/security-policy-settings/kerberos-policy.md @@ -25,7 +25,7 @@ ms.technology: windows-sec Describes the Kerberos Policy settings and provides links to policy setting descriptions. -The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this also increases the authorization overhead. In most environments, these settings should not need to be changed. +The Kerberos version 5 authentication protocol provides the default mechanism for authentication services and the authorization data necessary for a user to access a resource and perform a task on that resource. By reducing the lifetime of Kerberos tickets, you reduce the risk of a legitimate user's credentials being stolen and successfully used by an attacker. However, this ticket lifetime reduction also increases the authorization overhead. In most environments, these settings shouldn't need to be changed. These policy settings are located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Account Policies\\Kerberos Policy**. diff --git a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md index a0534994d0..9a7f5f87d4 100644 --- a/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md +++ b/windows/security/threat-protection/security-policy-settings/load-and-unload-device-drivers.md @@ -27,10 +27,10 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can dynamically load and unload device drivers. This user right is not required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. +This policy setting determines which users can dynamically load and unload device drivers. This user right isn't required if a signed driver for the new hardware already exists in the driver.cab file on the device. Device drivers run as highly privileged code. Windows supports the Plug and Play specifications that define how a computer can detect and configure newly added hardware, and then automatically install the device driver. Prior to Plug and Play, users needed to manually configure devices before attaching them to the device. This model allows a user to plug in the hardware, then Windows searches for an appropriate device driver package and automatically configures it to work without interfering with other devices. -Because device driver software runs as if it is a part of the operating system with unrestricted access to the entire computer, it is critical that only known and authorized device drivers be permitted. +Because device driver software runs as if it's a part of the operating system with unrestricted access to the entire computer, it's critical that only known and authorized device drivers be permitted. Constant: SeLoadDriverPrivilege @@ -42,7 +42,7 @@ Constant: SeLoadDriverPrivilege ### Best practices -- Because of the potential security risk, do not assign this user right to any user, group, or process that you do not want to take over the system. +- Because of the potential security risk, don't assign this user right to any user, group, or process that you don't want to take over the system. ### Location @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -94,11 +94,11 @@ Device drivers run as highly privileged code. A user who has the **Load and unlo ### Countermeasure -Do not assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, do not assign this user right to any user or group other than Domain Admins. +Don't assign the **Load and unload device drivers** user right to any user or group other than Administrators on member servers. On domain controllers, don't assign this user right to any user or group other than Domain Admins. ### Potential impact -If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks are not negatively affected. +If you remove the **Load and unload device drivers** user right from the Print Operators group or other accounts, you could limit the abilities of users who are assigned to specific administrative roles in your environment. You should ensure that delegated tasks aren't negatively affected. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md index 17b2d7d0e6..5aae309524 100644 --- a/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md +++ b/windows/security/threat-protection/security-policy-settings/lock-pages-in-memory.md @@ -31,7 +31,7 @@ This policy setting determines which accounts can use a process to keep data in Normally, an application running on Windows can negotiate for more physical memory, and in response to the request, the application begins to move the data from RAM (such as the data cache) to a disk. When the pageable memory is moved to a disk, more RAM is free for the operating system to use. -Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This could lead to performance degradation. +Enabling this policy setting for a specific account (a user account or a process account for an application) prevents paging of the data. Thereby, the amount of memory that Windows can reclaim under pressure is limited. This limitation could lead to performance degradation. >**Note:**  By configuring this policy setting, the performance of the Windows operating system will differ depending on if applications are running on 32-bit or 64-bit systems, and if they are virtualized images. Performance will also differ between earlier and later versions of the Windows operating system. @@ -67,7 +67,7 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. @@ -92,7 +92,7 @@ Users with the **Lock pages in memory** user right could assign physical memory ### Countermeasure -Do not assign the **Lock pages in memory** user right to any accounts. +Don't assign the **Lock pages in memory** user right to any accounts. ### Potential impact diff --git a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md index 4fb931974f..126438d791 100644 --- a/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md +++ b/windows/security/threat-protection/security-policy-settings/log-on-as-a-batch-job.md @@ -27,7 +27,7 @@ This article describes the recommended practices, location, values, policy manag ## Reference -This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. +This policy setting determines which accounts can sign in by using a batch-queue tool such as the Task Scheduler service. When you use the Add Scheduled Task Wizard to schedule a task to run under a particular user name and password, that user is automatically assigned the **Log on as a batch job** user right. When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context. Constant: SeBatchLogonRight @@ -95,7 +95,7 @@ For IIS servers, configure this policy locally instead of through domain–based ### Potential impact -If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to additional accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality. +If you configure the **Log on as a batch job** setting by using domain-based Group Policy settings, the computer can't assign the user right to accounts that are used for scheduled jobs in the Task Scheduler. If you install optional components such as ASP.NET or IIS, you might need to assign this user right to other accounts that those components require. For example, IIS requires assignment of this user right to the IIS\_WPG group and the IUSR\_*<ComputerName>*, ASPNET, and IWAM\_*<ComputerName>* accounts. If this user right isn't assigned to this group and these accounts, IIS can't run some COM objects that are necessary for proper functionality. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md index 5da39ee708..4566dfbf15 100644 --- a/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md +++ b/windows/security/threat-protection/security-policy-settings/manage-auditing-and-security-log.md @@ -27,8 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the -Security log in Event Viewer. For more info about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). +This policy setting determines which users can specify object access audit options for individual resources such as files, Active Directory objects, and registry keys. These objects specify their system access control lists (SACL). A user who is assigned this user right can also view and clear the Security log in Event Viewer. For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). Constant: SeSecurityPrivilege @@ -40,7 +39,7 @@ Constant: SeSecurityPrivilege ### Best practices 1. Before removing this right from a group, investigate whether applications are dependent on this right. -2. Generally, assigning this user right to groups other than Administrators is not necessary. +2. Generally, assigning this user right to groups other than Administrators isn't necessary. ### Location @@ -65,11 +64,11 @@ The following table lists the actual and effective default policy values for the This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. Any change to the user rights assignment for an account becomes effective the next time the owner of the account logs on. -Audits for object access are not performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. +Audits for object access aren't performed unless you enable them by using the Local Group Policy Editor, the Group Policy Management Console (GPMC), or the Auditpol command-line tool. For more information about the Object Access audit policy, see [Audit object access](../auditing/basic-audit-object-access.md). diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md index e3ed6c49c4..3dbb0c258d 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-service-ticket.md @@ -31,16 +31,16 @@ The **Maximum lifetime for service ticket** policy setting determines the maximu The possible values for this Group Policy setting are: -- A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets do not expire). +- A user-defined number of minutes from 10 through 99,999, or 0 (in which case service tickets don't expire). - Not defined. -If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations are not interrupted if the session ticket that authenticated the connection expires during the connection. +If a client presents an expired session ticket when it requests a connection to a server, the server returns an error message. The client must request a new session ticket from the Kerberos V5 KDC. After a connection is authenticated, however, it no longer matters whether the session ticket remains valid. Session tickets are used only to authenticate new connections with servers. Ongoing operations aren't interrupted if the session ticket that authenticated the connection expires during the connection. -If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. +If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours. In addition, users whose accounts have been disabled might be able to continue accessing network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, service tickets never expire. ### Best practices -- It is advisable to set **Maximum lifetime for service ticket** to **600** minutes. +- It's advisable to set **Maximum lifetime for service ticket** to **600** minutes. ### Location @@ -63,7 +63,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -86,7 +86,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. +If you configure the value for the **Maximum lifetime for service ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid service tickets that were issued before their accounts were disabled. ### Countermeasure @@ -94,7 +94,7 @@ Configure the **Maximum lifetime for service ticket** setting to 600 minutes. ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md index 0b5fddd3cd..4807321a05 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md @@ -36,9 +36,9 @@ The possible values for this Group Policy setting are: ### Best practices -- If the value for this policy setting is too high, users may be able to renew very old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. +- If the value for this policy setting is too high, users may be able to renew old user ticket-granting tickets. If the value is 0, ticket-granting tickets never expire. - It is advisable to set **Maximum lifetime for user ticket renewal** to **7** days. + It's advisable to set **Maximum lifetime for user ticket renewal** to **7** days. ### Location @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew very old user tickets. +If the value for the **Maximum lifetime for user ticket renewal** setting is too high, users might be able to renew old user tickets. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md index b189dda660..53e36fa838 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-lifetime-for-user-ticket.md @@ -34,7 +34,7 @@ The possible values for this Group Policy setting are: - A user-defined number of hours from 0 through 99,999 - Not defined -If the value for this policy setting is too high, users might be able to access network resources outside of their logon hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. +If the value for this policy setting is too high, users might be able to access network resources outside of their sign-in hours, or users whose accounts have been disabled might be able to continue to access network services by using valid service tickets that were issued before their account was disabled. If the value is set to 0, ticket-granting tickets never expire. ### Best practices @@ -61,7 +61,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the computer is not required for this policy setting to be effective. +A restart of the computer isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -84,7 +84,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their logon hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. +If you configure the value for the **Maximum lifetime for user ticket** setting too high, users might be able to access network resources outside of their sign-in hours. Also, users whose accounts were disabled might continue to have access to network services with valid user tickets that were issued before their accounts were disabled. If you configure this value too low, ticket requests to the KDC may affect the performance of your KDC and present an opportunity for a DoS attack. ### Countermeasure @@ -92,7 +92,7 @@ Configure the **Maximum lifetime for user ticket** setting with a value between ### Potential impact -Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user does not have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of four hours without too much additional burden. +Reducing this setting from the default value reduces the likelihood that the ticket-granting ticket will be used to access resources that the user doesn't have rights to. However, it requires more frequent requests to the KDC for ticket-granting tickets on behalf of users. Most KDCs can support a value of 4 hours without any extra burden. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md index 546b7de4f2..e63f28edde 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-password-age.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-password-age.md @@ -27,7 +27,7 @@ Describes the best practices, location, values, policy management, and security ## Reference -The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. +The **Maximum password age** policy setting determines the period of time (in days) that a password can be used before the system requires the user to change it. You can set passwords to expire after a certain number of days between 1 and 999, or you can specify that passwords never expire by setting the number of days to 0. If **Maximum password age** is between 1 and 999 days, the minimum password age must be less than the maximum password age. If **Maximum password age** is set to 0, [Minimum password age](minimum-password-age.md) can be any value between 0 and 998 days. >**Note:**  Setting **Maximum password age** to -1 is equivalent to 0, which means it never expires. Setting it to any other negative number is equivalent to setting it to **Not Defined**. @@ -66,7 +66,7 @@ This section describes features, tools, and guidance to help you manage this pol ### Restart requirement -None. Changes to this policy become effective without a computer restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a computer restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -78,13 +78,13 @@ The longer a password exists, the higher the likelihood that it will be compromi ### Considerations -Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. See [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/) for further information. +Mandated password changes are a long-standing security practice, but current research strongly indicates that password expiration has a negative effect. For more information, see [Microsoft Password Guidance](https://www.microsoft.com/research/publication/password-guidance/). -Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organisations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements. +Configure the **Maximum password age** policy setting to a value that is suitable for your organization's business requirements. For example, many organizations have compliance or insurance mandates requiring a short lifespan on passwords. Where such a requirement exists, the **Maximum password age** policy setting can be used to meet business requirements. ### Potential impact -If the **Maximum password age** policy setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. +If the **Maximum password age** policy setting is too low, users are required to change their passwords often. Such a configuration can reduce security in the organization because users might keep their passwords in an unsecured location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts. ## Related topics From 895a909308a83efa90639bd1c0361dc9d8224cd4 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 28 Jun 2022 09:24:46 +0530 Subject: [PATCH 08/77] Acrolinx Enhancement Effort --- ...m-tolerance-for-computer-clock-synchronization.md | 10 +++++----- ...nencrypted-password-to-third-party-smb-servers.md | 12 ++++++------ ...f-idle-time-required-before-suspending-session.md | 6 +++--- ...r-attempt-s4u2self-to-obtain-claim-information.md | 8 ++++---- ...rk-server-digitally-sign-communications-always.md | 10 +++++----- 5 files changed, 23 insertions(+), 23 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index fe607f246f..a3684bbc31 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. -Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any time stamp that is used in a session between the two devices is considered to be authentic. +Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, anytime stamp that is used in a session between the two devices is considered to be authentic. The possible values for this Group Policy setting are: @@ -39,7 +39,7 @@ The possible values for this Group Policy setting are: ### Best practices -- It is advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. +- It's advisable to set **Maximum tolerance for computer clock synchronization** to a value of 5 minutes. ### Location @@ -62,7 +62,7 @@ The following table lists the actual and effective default policy values. Defaul This section describes features, tools, and guidance to help you manage this policy. -A restart of the device is not required for this policy setting to be effective. +A restart of the device isn't required for this policy setting to be effective. This policy setting is configured on the domain controller. @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any time stamp that is used in a session between the two computers is considered to be authentic. +To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, anytime stamp that is used in a session between the two computers is considered to be authentic. ### Countermeasure @@ -93,7 +93,7 @@ Configure the **Maximum tolerance for computer clock synchronization** setting t ### Potential impact -None. This is the default configuration. +None. This non-impact state is the default configuration. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md index 0cc87e361e..c17a0e599f 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md @@ -28,23 +28,23 @@ Describes the best practices, location, values, policy management and security c ## Reference -The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. +The Server Message Block (SMB) protocol provides the basis for file and print sharing and many other networking operations, such as remote Windows administration. This policy setting allows or prevents the SMB redirector to send plaintext passwords to a non-Microsoft server service that doesn't support password encryption during authentication. ### Possible values - Enabled - The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that does not support password encryption during authentication. + The Server Message Block (SMB) redirector is allowed to send plaintext passwords to a non-Microsoft server service that doesn't support password encryption during authentication. - Disabled - The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services do not support password encryption, the authentication request will fail. + The Server Message Block (SMB) redirector only sends encrypted passwords to non-Microsoft SMB server services. If those server services don't support password encryption, the authentication request will fail. - Not defined ### Best practices -- It is advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. +- It's advisable to set **Microsoft network client: Send unencrypted password to connect to third-party SMB servers** to Disabled. ### Location @@ -69,7 +69,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -85,7 +85,7 @@ Disable the **Microsoft network client: Send unencrypted password to connect to ### Potential impact -Some older applications may not be able to communicate with the servers in your organization by means of the SMB protocol. +Some older applications may not be able to communicate with the servers in your organization through the SMB protocol. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md index abe6db2b33..5a14605d54 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md @@ -41,7 +41,7 @@ The **Microsoft network server: Amount of idle time required before suspending s ### Best practices -- It is advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. +- It's advisable to set this policy to 15 minutes. There will be little impact because SMB sessions will be reestablished automatically if the client resumes activity. ### Location @@ -67,7 +67,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -83,7 +83,7 @@ The default behavior on a server mitigates this threat by design. ### Potential impact -There is little impact because SMB sessions are reestablished automatically if the client computer resumes activity. +There's little impact because SMB sessions are reestablished automatically if the client computer resumes activity. ## Related topics diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md index 1ef73b3a59..f4ddaa9d5a 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md @@ -30,9 +30,9 @@ Describes the best practices, location, values, management, and security conside This security setting supports client devices running a version of Windows prior to Windows 8 that are trying to access a file share that requires user claims. This setting determines whether the local file server will attempt to use Kerberos Service-for-User-to-Self (S4U2Self) functionality to obtain a network client principal’s claims from the client’s account domain. This setting should only be enabled if the file server is using user claims to control access to files, and if the file server will support client principals whose accounts might be in a domain that has client computers and domain controllers running a version of Windows prior to Windows 8 or Windows Server 2012. -When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims are not present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. +When enabled, this security setting causes the Windows file server to examine the access token of an authenticated network client principal and determines if claim information is present. If claims aren't present, the file server will then use the Kerberos S4U2Self feature to attempt to contact a Windows Server 2012 domain controller in the client’s account domain and obtain a claims-enabled access token for the client principal. A claims-enabled token might be needed to access files or folders that have claim-based access control policy applied. -If this setting is disabled, the Windows file server will not attempt to obtain a claim-enabled access token for the client principal. +If this setting is disabled, the Windows file server won't attempt to obtain a claim-enabled access token for the client principal. ### Possible values @@ -77,7 +77,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ### Group Policy @@ -89,7 +89,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -None. Enabling this policy setting allows you take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 +None. Enabling this policy setting allows you to take advantage of features in Windows Server 2012 and Windows 8 and later for specific scenarios to use claims-enabled tokens to access files or folders that have claim-based access control policy applied on Windows operating systems prior to Windows Server 2012 and Windows 8. ### Countermeasure diff --git a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md index afb7ddfe20..080f186f03 100644 --- a/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md +++ b/windows/security/threat-protection/security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md @@ -34,7 +34,7 @@ Implementation of digital signatures in high-security networks helps prevent the Beginning with SMBv2 clients and servers, signing can be either required or not required. If this policy setting is enabled, SMBv2 clients will digitally sign all packets. Another policy setting determines whether signing is required for SMBv3 and SMBv2 server communications: [Microsoft network client: Digitally sign communications (always)](microsoft-network-client-digitally-sign-communications-always.md). -There is a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. +There's a negotiation done between the SMB client and the SMB server to decide whether signing will effectively be used. The following table has the effective behavior for SMBv3 and SMBv2. | | Server – Required | Server – Not Required | @@ -46,7 +46,7 @@ There is a negotiation done between the SMB client and the SMB server to decide 1 Default for domain controller SMB traffic
    2 Default for all other SMB traffic -Performance of SMB signing is improved in SMBv2. For more details, see [Potential impact](#potential-impact). +Performance of SMB signing is improved in SMBv2. For more information, see [Potential impact](#potential-impact). ### Possible values @@ -80,7 +80,7 @@ This section describes features and tools that are available to help you manage ### Restart requirement -None. Changes to this policy become effective without a device restart when they are saved locally or distributed through Group Policy. +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. ## Security considerations @@ -90,7 +90,7 @@ This section describes how an attacker might exploit a feature or its configurat Session hijacking uses tools that allow attackers who have access to the same network as the client device or server to interrupt, end, or steal a session in progress. Attackers can potentially intercept and modify unsigned Server Message Block (SMB) packets and then modify the traffic and forward it so that the server might perform objectionable actions. Alternatively, the attacker could pose as the server or client device after legitimate authentication and gain unauthorized access to data. -SMB is the resource-sharing protocol that is supported by many Windows operating systems. It is the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission does not take place. +SMB is the resource-sharing protocol that is supported by many Windows operating systems. It's the basis of many modern features like Storage Spaces Direct, Storage Replica, and SMB Direct, as well as many legacy protocols and tools. If either side fails the authentication process, data transmission doesn't take place. ### Countermeasure @@ -101,7 +101,7 @@ Enable **Microsoft network server: Digitally sign communications (always)**. ### Potential impact -Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you are using a 1 Gb Ethernet network or slower storage speed with a modern CPU, there is limited degradation in performance. If you are using a faster network (such as 10 Gb), the performance impact of signing may be greater. +Storage speeds impact performance. A faster drive on the source and destination allows more throughput, which causes more CPU usage of signing. If you're using a 1-GB Ethernet network or slower storage speed with a modern CPU, there's limited degradation in performance. If you're using a faster network (such as 10 Gb), the performance impact of signing may be greater. ## Related topics From 77d6dd6017edb14554a354d151d072228782bb9b Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Fri, 1 Jul 2022 18:31:21 +0530 Subject: [PATCH 09/77] Acrolinx Enhancement Effort --- ...tructure-and-applocker-rule-enforcement.md | 6 ++-- .../applocker/edit-an-applocker-policy.md | 23 +++++++------- .../applocker/maintain-applocker-policies.md | 8 ++--- .../manage-packaged-apps-with-applocker.md | 22 +++++++------- ...r-policies-by-using-set-applockerpolicy.md | 4 +-- .../merge-applocker-policies-manually.md | 6 ++-- ...onitor-application-usage-with-applocker.md | 16 +++++----- ...ckaged-app-installer-rules-in-applocker.md | 2 +- .../plan-for-applocker-policy-management.md | 30 +++++++++---------- .../applocker/refresh-an-applocker-policy.md | 6 ++-- ...the-automatically-generate-rules-wizard.md | 8 ++--- .../security-considerations-for-applocker.md | 18 +++++------ .../select-types-of-rules-to-create.md | 12 ++++---- .../test-and-update-an-applocker-policy.md | 18 +++++------ .../applocker/tools-to-use-with-applocker.md | 2 +- 15 files changed, 90 insertions(+), 91 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index f21a48c714..24d9b339a4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -40,7 +40,7 @@ To complete this AppLocker planning document, you should first complete the foll 3. [Select the types of rules to create](select-types-of-rules-to-create.md) 4. [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) -After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they are linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. +After you determine how to structure your Group Policy Objects (GPOs) so that you can apply AppLocker policies, you should record your findings. You can use the following table to determine how many GPOs to create (or edit) and which objects they're linked to. If you decided to create custom rules to allow system files to run, note the high-level rule configuration in the **Use default rule or define new rule condition** column. The following table includes the sample data that was collected when you determined your enforcement settings and the GPO structure for your AppLocker policies. @@ -49,13 +49,13 @@ The following table includes the sample data that was collected when you determi |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow|| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow|| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow|| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

    |File is signed; create a publisher condition|Deny|| ||||Windows files|C:\Windows|Use a default rule for the Windows path|Allow|| ## Next steps -After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: +After you've determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain: - [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index 811e3ab499..5f324a437e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps required to modify an AppLocker policy. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't create a new version of the policy by importing more rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). There are three methods you can use to edit an AppLocker policy: @@ -44,16 +44,15 @@ There are three methods you can use to edit an AppLocker policy: ## Editing an AppLocker policy by using Group Policy -The steps to edit an AppLocker policy distributed by Group Policy include the following: +The steps to edit an AppLocker policy distributed by Group Policy include: ### Step 1: Use Group Policy management software to export the AppLocker policy from the GPO -AppLocker provides a feature to export and import AppLocker policies as an XML file. This allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker -policy to an XML file. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). +AppLocker provides a feature to export and import AppLocker policies as an XML file. This feature allows you to modify an AppLocker policy outside your production environment. Because updating an AppLocker policy in a deployed GPO could have unintended consequences, you should first export the AppLocker policy to an XML file. For information on the procedure to export this policy, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). ### Step 2: Import the AppLocker policy into the AppLocker reference PC or the PC you use for policy maintenance -After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). >**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   @@ -61,8 +60,8 @@ After exporting the AppLocker policy to an XML file, you should import the XML f AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) @@ -70,7 +69,7 @@ AppLocker provides ways to modify, delete, or add rules to a policy by modifying - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) - [Enable the DLL rule collection](enable-the-dll-rule-collection.md) -- For steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). +- For information on the steps to test an AppLocker policy, see [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md). - For procedures to export the updated policy from the reference computer back into the GPO, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md). ### Step 4: Use AppLocker and Group Policy to import the AppLocker policy back into the GPO @@ -89,7 +88,7 @@ The steps to edit an AppLocker policy distributed by using the Local Security Po On the PC where you maintain policies, open the AppLocker snap-in from the Local Security Policy snap-in (secpol.msc). If you exported the AppLocker policy from another PC, use AppLocker to import it onto the PC. -After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). +After exporting the AppLocker policy to an XML file, you should import the XML file onto a reference PC so that you can edit the policy. For information on the procedure to import an AppLocker policy, see [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). >**Caution:**  Importing a policy onto another PC will overwrite the existing policy on that PC.   @@ -97,8 +96,8 @@ After exporting the AppLocker policy to an XML file, you should import the XML f AppLocker provides ways to modify, delete, or add rules to a policy by modifying the rules within the collection. -- For the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). -- For the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). +- For information on the procedure to modify a rule, see [Edit AppLocker rules](edit-applocker-rules.md). +- For information on the procedure to delete a rule, see [Delete an AppLocker rule](delete-an-applocker-rule.md). - For procedures to create rules, see: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) @@ -114,6 +113,6 @@ For steps to test an AppLocker policy, see [Test and update an AppLocker policy] For procedures to export the updated policy from the reference computer to targeted computers, see [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) and [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md). -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 04db4a506d..97c6d66e6c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -57,7 +57,7 @@ For every scenario, the steps to maintain an AppLocker policy distributed by Gro As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the AppLocker policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of GPOs. >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. @@ -74,7 +74,7 @@ Updating an AppLocker policy that is currently enforced in your production envir After the AppLocker policy has been exported from the GPO into the AppLocker reference or test computer, or has been accessed on the local computer, the specific rules can be modified as required. -To modify AppLocker rules, see the following: +To modify AppLocker rules, see the following articles: - [Edit AppLocker rules](edit-applocker-rules.md) - [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md) or [Merge AppLocker policies manually](merge-applocker-policies-manually.md) @@ -101,7 +101,7 @@ Before modifying a policy, evaluate how the policy is currently implemented. ### Step 2: Update the AppLocker policy by modifying the appropriate AppLocker rule -Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. +Rules are grouped into a collection, which can have the policy enforcement setting applied to it. By default, AppLocker rules don't allow users to open or run any files that aren't allowed. To modify AppLocker rules, see the appropriate topic listed on [Administer AppLocker](administer-applocker.md). @@ -117,6 +117,6 @@ You can export and then import AppLocker policies to deploy the policy to other After deploying a policy, evaluate the policy's effectiveness. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 6c12bd897b..477f41380a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -34,7 +34,7 @@ This topic for IT professionals describes concepts and lists procedures to help ## Understanding Packaged apps and Packaged app installers for AppLocker Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. -With packaged apps, it is possible to control the entire app by using a single AppLocker rule. +With packaged apps, it's possible to control the entire app by using a single AppLocker rule. > [!NOTE] > AppLocker supports only publisher rules for packaged apps. All packaged apps must be signed by the software publisher because Windows does not support unsigned packaged apps. @@ -46,8 +46,8 @@ Typically, an app consists of multiple components: the installer that is used to AppLocker policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include: -- **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. -- **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. +- **Installing the apps**   All packaged apps can be installed by a standard user, whereas many classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps. +- **Changing the system state**   Classic Windows apps can be written to change the system state if they're run with administrative privileges. Most packaged apps can't change the system state because they run with limited privileges. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. - **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means. AppLocker uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both. @@ -67,12 +67,12 @@ For info about how to use the **Get-AppxPackage** Windows PowerShell cmdlet, see For info about creating rules for Packaged apps, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md). -Consider the following info when you are designing and deploying apps: +Consider the following info when you're designing and deploying apps: -- Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps is not necessary. -- You cannot create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps were not always consistently signed; therefore, AppLocker has to support hash- or path-based rules. -- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 would not have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or -Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app. This might be contrary to your design. +- Because AppLocker supports only publisher rules for packaged apps, collecting the installation path information for packaged apps isn't necessary. +- You can't create hash- or path-based rules for packaged apps because all packaged apps and packaged app installers are signed by the software publisher of the package. Classic Windows apps weren't always consistently signed; therefore, AppLocker has to support hash- or path-based rules. +- By default, if there are no rules in a particular rule collection, AppLocker allows every file that is included in that rule collection. For example, if there are no Windows Installer rules, AppLocker allows all .msi, .msp, and .mst files to run. An existing AppLocker policy that was targeted at computers running Windows Server 2008 R2 and Windows 7 wouldn't have rules for Packaged apps. Therefore, when a computer running at least Windows Server 2012 or +Windows 8 joins a domain where an AppLocker policy is already configured, users would be allowed to run any packaged app, which is contrary to your design. To prevent all packaged apps from running on a newly domain-joined computer, by default AppLocker blocks all packaged apps on a computer running at least Windows Server 2012 or Windows 8 if the existing domain policy has rules configured in the exe rule collection. You must take explicit action to allow packaged apps in your enterprise. You can allow only a select set of packaged apps. Or if you want to allow all packaged apps, you can create a default rule for the packaged apps collection. @@ -80,10 +80,10 @@ Windows 8 joins a domain where an AppLocker policy is already configured, users Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy: -1. Gather information about which Packaged apps are running in your environment. For information about how to do this, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). +1. Gather information about which Packaged apps are running in your environment. For information about how to gather this information, see [Create list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md). 2. Create AppLocker rules for specific packaged apps based on your policy strategies. For more information, see [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) and [Understanding AppLocker default rules](./understanding-applocker-default-rules.md). -3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). +3. Continue to update the AppLocker policies as new package apps are introduced into your environment. To do this update, see [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md). -4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). \ No newline at end of file +4. Continue to monitor your environment to verify the effectiveness of the rules that are deployed in AppLocker policies. To do this monitoring, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 7737b4399b..6d553816d9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -31,13 +31,13 @@ ms.technology: windows-sec This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. -The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter is not specified, then the new policy will overwrite the existing policy. +The **Set-AppLockerPolicy** cmdlet sets the specified Group Policy Object (GPO) to contain the specified AppLocker policy. If no Lightweight Directory Access Protocol (LDAP) is specified, the local GPO is the default. When the Merge parameter is used, rules in the specified AppLocker policy will be merged with the AppLocker rules in the target GPO specified in the LDAP path. The merging of policies will remove rules with duplicate rule IDs, and the enforcement setting specified by the AppLocker policy in the target GPO will be preserved. If the Merge parameter isn't specified, then the new policy will overwrite the existing policy. For info about using **Set-AppLockerPolicy**, including syntax descriptions and parameters, see [Set-AppLockerPolicy](/powershell/module/applocker/set-applockerpolicy). For info about using Windows PowerShell for AppLocker, including how to import the AppLocker cmdlets into Windows PowerShell, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). -You can also manually merge AppLocker policies. For the procedure to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). +You can also manually merge AppLocker policies. For information on the procedure to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md). **To merge a local AppLocker policy with another AppLocker policy by using LDAP paths** 1. Open the PowerShell command window. For info about performing Windows PowerShell commands for AppLocker, see [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index 4063ae1e66..de6eab6cab 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). -If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You can't automatically merge policies by using the AppLocker console. You must create one rule collection from two or more policies. For info about merging policies by using the cmdlet, see [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. Rule collections are specified within the **RuleCollection Type** element. The XML schema includes five attributes for the different rule collections, as shown in the following table: @@ -51,7 +51,7 @@ Rule enforcement is specified with the **EnforcementMode** element. The three en | AuditOnly | Audit only| | Enabled | Enforce rules| -Each of the three condition types use specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. +Each of the three condition types uses specific elements. For XML examples of the different rule types, see Merge AppLocker policies manually. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. @@ -63,4 +63,4 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 4. Open the policy where you want to add the copied rules. 5. Select and expand the rule collection where you want to add the rules. 6. At the bottom of the rule list for the collection, after the closing element, paste the rules that you copied from the first policy file. Verify that the opening and closing elements are intact, and then save the policy. -7. Upload the policy to a reference computer to ensure that it is functioning properly within the GPO. +7. Upload the policy to a reference computer to ensure that it's functioning properly within the GPO. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index a19c80618b..0545d013ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -31,7 +31,7 @@ ms.technology: windows-sec This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. -Once you set rules and deploy the AppLocker policies, it is good practice to determine if the policy implementation is what you expected. +Once you set rules and deploy the AppLocker policies, it's a good practice to determine if the policy implementation is what you expected. ### Discover the effect of an AppLocker policy @@ -39,27 +39,27 @@ You can evaluate how the AppLocker policy is currently implemented for documenta - **Analyze the AppLocker logs in Event Viewer** - When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules are not enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. + When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. - For the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). + For information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). - **Enable the Audit only AppLocker enforcement setting** By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. - For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). - **Review AppLocker events with Get-AppLockerFileInformation** - For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you are using the audit-only enforcement mode) and how many times the event has occurred for each file. + For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you're using the audit-only enforcement mode) and how many times the event has occurred for each file. - For the procedure to do this, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + For information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). - **Review AppLocker events with Test-AppLockerPolicy** You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. - For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ### Review AppLocker events with Get-AppLockerFileInformation @@ -93,7 +93,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum **To view events in the AppLocker log by using Event Viewer** -1. Open Event Viewer. To do this, click **Start**, type **eventvwr.msc**, and then press ENTER. +1. Open Event Viewer by clicking **Start**, typing **eventvwr.msc**, and then pressing ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index c79be76e77..0ee1ed1988 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -32,7 +32,7 @@ ms.technology: windows-sec This topic explains the AppLocker rule collection for packaged app installers and packaged apps. Universal Windows apps can be installed through the Microsoft Store or can be sideloaded using the Windows PowerShell cmdlets. Universal Windows apps can be installed by a standard user unlike some Classic Windows applications that sometimes require administrative privileges for installation. -Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It is therefore possible to control an entire app with a single rule. +Typically, an app consists of multiple components – the installer used to install the app and one or more exes, dlls or scripts. With Classic Windows applications, not all those components always share common attributes such as the publisher name, product name and product version. Therefore, AppLocker has to control each of these components separately through different rule collections – exe, dll, script and Windows Installers. In contrast, all the components of a Universal Windows app share the same attributes: Publisher name, Package name and Package version. It's therefore possible to control an entire app with a single rule. AppLocker enforces rules for Universal Windows apps separately from Classic Windows applications. A single AppLocker rule for a Universal Windows app can control both the installation and the running of an app. Because all Universal Windows apps are signed, AppLocker supports only publisher rules for Universal Windows apps. A publisher rule for a Universal Windows app is based on the following attributes of the app: diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 2f5df9dc7c..65214802ff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -1,6 +1,6 @@ --- title: Plan for AppLocker policy management (Windows) -description: This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +description: This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ms.assetid: dccc196f-6ae0-4ae4-853a-a3312b18751b ms.reviewer: ms.author: dansimp @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. +This topic describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. ## Policy management @@ -46,23 +46,23 @@ Developing a process for managing AppLocker rules helps assure that AppLocker co **Help desk support** -If your organization has an established help desk support department in place, consider the following when deploying AppLocker policies: +If your organization has an established help desk support department in place, consider the following points when deploying AppLocker policies: - What documentation does your support department require for new policy deployments? - What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload? - Who are the contacts in the support department? -- How will the support department resolve application control issues between the end user and those who maintain the AppLocker rules? +- How will the support department resolve application control issues between the end user and those resources who maintain the AppLocker rules? **End-user support** -Because AppLocker is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include: +Because AppLocker is preventing unapproved apps from running, it's important that your organization carefully plans how to provide end-user support. Considerations include: - Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app? - How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app? **Using an intranet site** -AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you do not display a custom URL for the message when an app is blocked, the default URL is used. +AppLocker can be configured to display the default message but with a custom URL. You can use this URL to redirect users to a support site that contains information about why the user received the error and which applications are allowed. If you don't display a custom URL for the message when an app is blocked, the default URL is used. The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link. @@ -72,7 +72,7 @@ For steps to display a custom URL for the message, see [Display a custom URL mes **AppLocker event management** -Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which file tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The +Each time that a process requests permission to run, AppLocker creates an event in the AppLocker event log. The event details which was the file that tried to run, the attributes of that file, the user that initiated the request, and the rule GUID that was used to make the AppLocker execution decision. The AppLocker event log is located in the following path: **Applications and Services Logs\\Microsoft\\Windows\\AppLocker**. The AppLocker log includes three logs: 1. **EXE and DLL**. Contains events for all files affected by the executable and DLL rule collections (.exe, .com, .dll, and .ocx). @@ -83,22 +83,22 @@ Collecting these events in a central location can help you maintain your AppLock ### Policy maintenance -As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current. +As new apps are deployed or existing apps are updated by the software publisher, you'll need to make revisions to your rule collections to ensure that the policy is current. -You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). +You can edit an AppLocker policy by adding, changing, or removing rules. However, you can't specify a version for the policy by importing more rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013). > [!IMPORTANT] > You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior. **New version of a supported app** -When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. +When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you're using publisher conditions and the version isn't specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app hasn't altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied. To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version. For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions. -For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app +For files with path conditions, you should verify that the installation path hasn't changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app **Recently deployed app** @@ -114,7 +114,7 @@ A file could be blocked for three reasons: - The most common reason is that no rule exists to allow the app to run. - There may be an existing rule that was created for the file that is too restrictive. -- A deny rule, which cannot be overridden, is explicitly blocking the file. +- A deny rule, which can't be overridden, is explicitly blocking the file. Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791793(v=ws.10)) (https://go.microsoft.com/fwlink/p/?LinkId=160269). @@ -132,7 +132,7 @@ The three key areas to determine for AppLocker policy management are: 1. Support policy - Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. + Document the process that you'll use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy. 2. Event processing @@ -149,7 +149,7 @@ The following table contains the added sample data that was collected when deter |Bank Tellers|Teller-East and Teller-West|Yes|Teller Software|C:\Program Files\Woodgrove\Teller.exe|File is signed; create a publisher condition|Allow|Tellers-AppLockerTellerRules|Web help| ||||Windows files|C:\Windows|Create a path exception to the default rule to exclude \Windows\Temp|Allow||Help desk| |Human Resources|HR-All|Yes|Check Payout|C:\Program Files\Woodgrove\HR\Checkcut.exe|File is signed; create a publisher condition|Allow|HR-AppLockerHRRules|Web help| -||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File is not signed; create a file hash condition|Allow||Web help| +||||Time Sheet Organizer|C:\Program Files\Woodgrove\HR\Timesheet.exe|File isn't signed; create a file hash condition|Allow||Web help| ||||Internet Explorer 7|C:\Program Files\Internet Explorer

    |File is signed; create a publisher condition|Deny||Web help| ||||Windows files|C:\Windows|Use the default rule for the Windows path|Allow||Help desk| @@ -157,7 +157,7 @@ The following two tables illustrate examples of documenting considerations to ma **Event processing policy** -One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. +One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This setting will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events. The following table is an example of what to consider and record. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index e4d36fb82e..9d554232ef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -42,7 +42,7 @@ To complete this procedure, you must have Edit Setting permission to edit a GPO **To manually refresh the AppLocker policy by using Group Policy** 1. From a command prompt, type **gpupdate /force**, and then press ENTER. -2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this by checking the AppLocker event logs for events that include "policy applied." +2. When the command finishes, close the command prompt window, and then verify that the intended rule behavior is correct. You can do this verification by checking the AppLocker event logs for events that include "policy applied." To change a policy on an individual computer, or to implement that policy on other computers, without using Group Policy, you first need to update the rule within the rule collection. For information about updating existing rules, see [Edit AppLocker rules](edit-applocker-rules.md). For information about creating a new rule for an existing policy, see: @@ -64,8 +64,8 @@ When finished, the policy is in effect. To make the same change on another device, you can use any of the following methods: -- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do this, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. +- From the device that you made the change on, export the AppLocker policy, and then import the policy onto the other device. To do these tasks, use the AppLocker **Export Policy** and **Import Policy** features to copy the rules from the changed computer. >**Caution:**  When importing rules from another computer, all the rules will be applied, not just the one that was updated. Merging policies allows both existing and updated (or new) rules to be applied.   -- Merge AppLocker policies. For procedures to do this, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). +- Merge AppLocker policies. For information on the procedures to do this merging, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) and [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index b45234c1a0..807313b37d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -40,15 +40,15 @@ You can perform this task by using the Group Policy Management Console for an Ap 1. Open the AppLocker console. 2. Right-click the appropriate rule type for which you want to automatically generate rules. You can automatically generate rules for executable, Windows Installer, script and packaged app rules. 3. Click **Automatically Generate Rules**. -4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this is the Program Files folder. -5. Click **Select** to choose the security group in which the default rules should be applied. By default, this is the **Everyone** group. -6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you have selected. Accept the provided name or type a different name, and then click **Next**. +4. On the **Folder and Permissions** page, click **Browse** to choose the folder to be analyzed. By default, this folder is the Program Files folder. +5. Click **Select** to choose the security group in which the default rules should be applied. By default, this group is the **Everyone** group. +6. The wizard provides a name in the **Name to identify this set of rules** box based on the name of the folder that you've selected. Accept the provided name or type a different name, and then click **Next**. 7. On the **Rule Preferences** page, choose the conditions that you want the wizard to use while creating rules, and then click **Next**. For more info about rule conditions, see [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md). >**Note:** The **Reduce the number of rules created by grouping similar files** check box is selected by default. This helps you organize AppLocker rules and reduce the number of rules that you create by performing the following operations for the rule condition that you select: - One publisher condition is created for all files that have the same publisher and product name. - - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder are not signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. + - One path condition is created for the folder that you select. For example, if you select *C:\\Program Files\\ProgramName\\* and the files in that folder aren't signed, the wizard creates a rule for *%programfiles%\\ProgramName\\\**. - One file hash condition is created that contains all of the file hashes. When rule grouping is disabled, the wizard creates a file hash rule for each file. 8. Review the files that were analyzed and the rules that will be automatically created. To make changes, click **Previous** to return to the page where you can change your selections. After reviewing the rules, click **Create**. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 3b58e12ab7..8aebe54030 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -34,26 +34,26 @@ This topic for the IT professional describes the security considerations you nee The purpose of AppLocker is to restrict the access to software, and therefore, the data accessed by the software, to a specific group of users or within a defined business group. The following are security considerations for AppLocker: -AppLocker is deployed within an enterprise and administered centrally by those in IT with trusted credentials. This makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. +AppLocker is deployed within an enterprise and administered centrally by those resources in IT with trusted credentials. This system makes its policy creation and deployment conform to similar policy deployment processes and security restrictions. -AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. +AppLocker policies are distributed through known processes and by known means within the domain through Group Policy. But AppLocker policies can also be set on individual computers if the person has administrator privileges, and those policies might be contrary to the organization's written security policy. The enforcement settings for local policies are overridden by the same AppLocker policies in a Group Policy Object (GPO). However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. -Microsoft does not provide a way to develop any extensions to AppLocker. The interfaces are not public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)). +Microsoft doesn't provide a way to develop any extensions to AppLocker. The interfaces aren't public. A user with administrator credentials can automate some AppLocker processes by using Windows PowerShell cmdlets. For info about the Windows PowerShell cmdlets for AppLocker, see the [AppLocker Cmdlets in Windows PowerShell](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee460962(v=technet.10)). -AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that is not in a GPO will still be evaluated for that computer. If the local computer is not joined to a domain and is not administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. +AppLocker runs in the context of Administrator or LocalSystem, which is the highest privilege set. This security context has the potential of misuse. If a user with administrative credentials makes changes to an AppLocker policy on a local device that is joined to a domain, those changes could be overwritten or disallowed by the GPO that contains the AppLocker rule for the same file (or path) that was changed on the local device. However, because AppLocker rules are additive, a local policy that isn't in a GPO will still be evaluated for that computer. If the local computer isn't joined to a domain and isn't administered by Group Policy, a person with administrative credentials can alter the AppLocker policy. -When securing files in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it is still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. +When files are being secured in a directory with a rule of the path condition type, whether using the allow or deny action on the rule, it's still necessary and good practice to restrict access to those files by setting the access control lists (ACLs) according to your security policy. -AppLocker does not protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. +AppLocker doesn't protect against running 16-bit DOS binaries in the Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or later when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the executable rule collection for NTVDM.exe. -You cannot use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +You can't use AppLocker (or Software Restriction Policies) to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. -AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker cannot control every kind of interpreted code, such as Microsoft Office macros. +AppLocker can only control VBScript, JScript, .bat files, .cmd files, and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example, Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To control interpreted code by using AppLocker, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision returned by AppLocker. Not all host processes call into AppLocker and, therefore, AppLocker can't control every kind of interpreted code, such as Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. +AppLocker rules either allow or prevent an application from launching. AppLocker doesn't control the behavior of applications after they're launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules. > [!NOTE] > Two flags that illustrate this condition are `SANDBOX_INERT`, which can be passed to `CreateRestrictedToken`, and `LOAD_IGNORE_CODE_AUTHZ_LEVEL`, which can be passed to `LoadLibraryEx`. Both of these flags signal AppLocker to circumvent the rules and allow a child .exe or .dll to be loaded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 0e46c32873..a8f29966da 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -52,7 +52,7 @@ The rules you create will be in one of the following rule collections: - Packaged apps and packaged app installers: .appx - DLLs: .dll and .ocx -By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection is not enabled by default. +By default, the rules will allow a file to run based upon user or group privilege. If you use DLL rules, a DLL allow rule has to be created for each DLL that is used by all of the allowed apps. The DLL rule collection isn't enabled by default. In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is C:\\Program Files\\Woodgrove\\Teller.exe, and this app needs to be included in a rule. In addition, because this rule is part of a list of allowed applications, all the Windows files under C:\\Windows must be included as well. @@ -66,13 +66,13 @@ A rule condition is criteria upon which an AppLocker rule is based and can only | Path| Any file can be assigned this rule condition; however, because path rules specify locations within the file system, any subdirectory will also be affected by the rule (unless explicitly exempted).| For more info about this rule condition, see [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md). | | File hash | Any file can be assigned this rule condition; however, the rule must be updated each time a new version of the file is released because the hash value is based in part upon the version.| For more info about this rule condition, see [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md). | -In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. +In the Woodgrove Bank example, the line-of-business app for the Bank Tellers business group is signed and is located at C:\\Program Files\\Woodgrove\\Teller.exe. Therefore, the rule can be defined with a publisher condition. If the rule is defined to a specific version and above (for example, Teller.exe version 8.0 and above), then this rule will allow any updates to this app to occur without interruption of access to the users if the app's name and signed attributes stay the same. ### Determine how to allow system files to run -Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you are first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it is denoted with "(Default rule)" in its name as it appears in the rule collection. +Because AppLocker rules build a list of allowed apps, a rule or rules must be created to allow all Windows files to run. AppLocker provides a means to ensure system files are properly considered in your rule collection by generating the default rules for each rule collection. You can use the default rules (listed in [AppLocker default rules](working-with-applocker-rules.md#applocker-default-rules)) as a template when creating your own rules. However, these rules are only meant to function as a starter policy when you're first testing AppLocker rules so that the system files in the Windows folders will be allowed to run. When a default rule is created, it's denoted with "(Default rule)" in its name as it appears in the rule collection. -You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This will permit access to these files whenever updates are applied and the files change. If you require additional application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: +You can also create a rule for the system files based on the path condition. In the preceding example, for the Bank Tellers group, all Windows files reside under C:\\Windows and can be defined with the path rule condition type. This rule will permit access to these files whenever updates are applied and the files change. If you require more application security, you might need to modify the rules created from the built-in default rule collection. For example, the default rule to allow all users to run .exe files in the Windows folder is based on a path condition that allows all files within the Windows folder to run. The Windows folder contains a Temp subfolder to which the Users group is given the following permissions: - Traverse Folder/Execute File - Create Files/Write Data @@ -82,6 +82,6 @@ These permissions settings are applied to this folder for application compatibil ## Next steps -After you have selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). +After you've selected the types of rules to create, record your findings as explained in [Document your AppLocker rules](document-your-applocker-rules.md). -After recording your findings for the AppLocker rules to create, you will need to consider how to enforce the rules. For info about how to do this, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). +After recording your findings for the AppLocker rules to create, you'll need to consider how to enforce the rules. For information about how to do this enforcement, see [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index e94dd7e02a..7767e8d4db 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -35,42 +35,42 @@ You should test each set of rules to ensure that the rules perform as intended. ## Step 1: Enable the Audit only enforcement setting -By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For the procedure to do this, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). +By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules that you have created are properly configured for your organization. This setting can be enabled on the **Enforcement** tab of the **AppLocker Properties** dialog box. For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). ## Step 2: Configure the Application Identity service to start automatically -Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For the procedure to do this, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that are not managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. +Because AppLocker uses the Application Identity service to verify the attributes of a file, you must configure it to start automatically in any one GPO that applies AppLocker rules. For information on the procedure to do this configuration, see [Configure the Application Identity Service](configure-the-application-identity-service.md). For AppLocker policies that aren't managed by a GPO, you must ensure that the service is running on each PC in order for the policies to be applied. ## Step 3: Test the policy -Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PC that are configured to receive your AppLocker policy. +Test the AppLocker policy to determine if your rule collection needs to be modified. Because you have created AppLocker rules, enabled the Application Identity service, and enabled the **Audit only** enforcement setting, the AppLocker policy should be present on all client PCs that are configured to receive your AppLocker policy. -The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For the procedure to do this, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). +The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference PCs. For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ## Step 4: Analyze AppLocker events You can either manually analyze AppLocker events or use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to automate the analysis. **To manually analyze AppLocker events** -You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you have not configured an event subscription, then you will have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). +You can view the events either in Event Viewer or a text editor and then sort those events to perform an analysis, such as looking for patterns in application usage events, access frequencies, or access by user groups. If you haven't configured an event subscription, then you'll have to review the logs on a sampling of computers in your organization. For more information about using Event Viewer, see [Monitor application usage with AppLocker](monitor-application-usage-with-applocker.md). **To analyze AppLocker events by using Get-AppLockerFileInformation** You can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to analyze AppLocker events from a remote computer. If an app is being blocked and should be allowed, you can use the AppLocker cmdlets to help troubleshoot the problem. -For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you are using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For the procedure to do this, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). +For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** cmdlet to determine which files have been blocked or would have been blocked (if you're using the **Audit only** enforcement mode) and how many times the event has occurred for each file. For information on the procedure to do this monitoring, see [Monitor Application Usage with AppLocker](monitor-application-usage-with-applocker.md). -After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this, you can use the Group Policy Results Wizard to view rule names. +After using **Get-AppLockerFileInformation** to determine how many times that a file would have been blocked from running, you should review your rule list to determine whether a new rule should be created for the blocked file or whether an existing rule is too strictly defined. Ensure that you check which GPO is currently preventing the file from running. To determine this blocker GPO, you can use the Group Policy Results Wizard to view rule names. ## Step 5: Modify the AppLocker policy -After you have identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that are not managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). +After you've identified which rules need to be edited or added to the policy, you can use the Group Policy Management Console to modify the AppLocker rules in the relevant GPOs. For AppLocker policies that aren't managed by a GPO, you can use the Local Security Policy snap-in (secpol.msc). For info how to modify an AppLocker policy, see, [Edit an AppLocker policy](edit-an-applocker-policy.md). ## Step 6: Repeat policy testing, analysis, and policy modification Repeat the previous steps 3–5 until all the rules perform as intended before applying enforcement. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md).   diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 25bb78c4e1..fd88f08362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -49,7 +49,7 @@ The following tools can help you administer the application control policies cre You can edit an AppLocker policy by adding, changing, or removing rules by using the Group Policy Management Console (GPMC). - If you want additional features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. + If you want more features to manage AppLocker policies, such as version control, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. - **Remote Server Administration Tools (RSAT)** From 2b2ddbdffeb6b38ab6b9fe4aae36e322287b5b2e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 4 Jul 2022 12:54:39 +0530 Subject: [PATCH 10/77] Acrolinx Enhancement Effort --- ...derstand-applocker-enforcement-settings.md | 4 +- ...stand-applocker-policy-design-decisions.md | 50 +++++++++---------- .../understanding-applocker-rule-behavior.md | 2 +- ...understanding-applocker-rule-exceptions.md | 4 +- ...e-file-hash-rule-condition-in-applocker.md | 6 +-- ...ng-the-path-rule-condition-in-applocker.md | 8 +-- ...e-publisher-rule-condition-in-applocker.md | 12 ++--- ...-create-and-maintain-applocker-policies.md | 14 +++--- ...restriction-policies-in-the-same-domain.md | 16 +++--- ...he-applocker-windows-powershell-cmdlets.md | 4 +- .../using-event-viewer-with-applocker.md | 18 +++---- ...riction-policies-and-applocker-policies.md | 10 ++-- .../applocker/what-is-applocker.md | 4 +- .../applocker/working-with-applocker-rules.md | 46 ++++++++--------- ...-apps-deployed-with-a-managed-installer.md | 14 +++--- 15 files changed, 106 insertions(+), 106 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 9b7c321d4e..f99766832e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -31,11 +31,11 @@ ms.technology: windows-sec This topic describes the AppLocker enforcement settings for rule collections. -Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement is not configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. +Rule enforcement is applied only to a collection of rules, not to individual rules. AppLocker divides the rules into four collections: executable files, Windows Installer files, scripts, and DLL files. For more info about rule collections, see [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md). By default, if enforcement isn't configured and rules are present in a rule collection, those rules are enforced. The following table details the three AppLocker rule enforcement settings in Group Policy for each rule collection. | Enforcement setting | Description | | - | - | -| Not configured | By default, enforcement is not configured in a rule collection. If rules are present in the corresponding rule collection, they are enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| +| Not configured | By default, enforcement isn't configured in a rule collection. If rules are present in the corresponding rule collection, they're enforced. If rule enforcement is configured in a higher-level linked Group Policy object (GPO), that enforcement value overrides the **Not configured** value.| | Enforce rules | Rules are enforced for the rule collection, and all rule events are audited.| | Audit only | Rule events are audited only. Use this value when planning and testing AppLocker rules.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index c14abfaefc..fb22ebb52e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -1,6 +1,6 @@ --- title: Understand AppLocker policy design decisions (Windows) -description: Review some common considerations while you are planning to use AppLocker to deploy application control policies within a Windows environment. +description: Review some common considerations while you're planning to use AppLocker to deploy application control policies within a Windows environment. ms.assetid: 3475def8-949a-4b51-b480-dc88b5c1e6e6 ms.reviewer: ms.author: macapara @@ -42,34 +42,34 @@ You should consider using AppLocker as part of your organization's application c - You have resources to involve Help Desk or to build a self-help process for end-user application access issues. - The group's requirements for productivity, manageability, and security can be controlled by restrictive policies. -The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). +The following questions aren't in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment). ### Which apps do you need to control in your organization? -You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. +You might need to control a limited number of applications because they access sensitive data, or you might have to exclude all applications except those applications that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage. | Possible answers | Design considerations| | - | - | | Control all apps | AppLocker policies control applications by creating an allowed list of applications by file type. Exceptions are also possible. AppLocker policies can only be applied to applications installed on computers running one of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| -| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| +| Control specific apps | When you create AppLocker rules, a list of allowed apps is created. All applications on that list will be allowed to run (except those applications on the exception list). Applications that aren't on the list will be prevented from running. AppLocker policies can only be applied to apps installed on computers running any of the supported versions of Windows. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).| |Control only Classic Windows applications, only Universal Windows apps, or both| AppLocker policies control apps by creating an allowed list of apps by file type. Because Universal Windows apps are categorized under the Publisher condition, Classic Windows applications and Universal Windows apps can be controlled together. AppLocker policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with AppLocker on all supported versions of Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.
    For a comparison of Classic Windows applications and Universal Windows apps, see [Comparing Classic Windows applications and Universal Windows apps for AppLocker policy design decisions](#bkmk-compareclassicmetro) in this topic.| | Control apps by business group and user | AppLocker policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). Individual AppLocker rules can be applied to individual users or to groups of users.| -| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you will have to identify users, their computers, and their app access requirements.| -|Understand app usage, but there is no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| +| Control apps by computer, not user | AppLocker is a computer-based policy implementation. If your domain or site organizational structure isn't based on a logical user structure, such as an OU, you might want to set up that structure before you begin your AppLocker planning. Otherwise, you'll have to identify users, their computers, and their app access requirements.| +|Understand app usage, but there's no need to control any apps yet | AppLocker policies can be set to audit app usage to help you track which apps are used in your organization. You can then use the AppLocker event log to create AppLocker policies.| > [!IMPORTANT] > The following list contains files or types of files that cannot be managed by AppLocker: -- AppLocker does not protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there is already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it is a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. +- AppLocker doesn't protect against running 16-bit DOS binaries in an NT Virtual DOS Machine (NTVDM). This technology allows running legacy DOS and 16-bit Windows programs on computers that are using Intel 80386 or higher when there's already another operating system running and controlling the hardware. The result is that 16-bit binaries can still run on Windows Server 2008 R2 and Windows 7 when AppLocker is configured to otherwise block binaries and libraries. If it's a requirement to prevent 16-bit applications from running, you must configure the Deny rule in the Executable rule collection for NTVDM.exe. -- You cannot use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this applies to the (POSIX) subsystem in Windows NT. If it is a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. +- You can't use AppLocker to prevent code from running outside the Win32 subsystem. In particular, this rule applies to the (POSIX) subsystem in Windows NT. If it's a requirement to prevent applications from running in the POSIX subsystem, you must disable the subsystem. -- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It does not control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker cannot control every kind of interpreted code, for example Microsoft Office macros. +- AppLocker can only control VBScript, JScript, .bat files, .cmd files and Windows PowerShell scripts. It doesn't control all interpreted code that runs within a host process, for example Perl scripts and macros. Interpreted code is a form of executable code that runs within a host process. For example, Windows batch files (\*.bat) run within the context of the Windows Command Host (cmd.exe). To use AppLocker to control interpreted code, the host process must call AppLocker before it runs the interpreted code, and then enforce the decision that is returned by AppLocker. Not all host processes call into AppLocker. Therefore, AppLocker can't control every kind of interpreted code, for example Microsoft Office macros. > [!IMPORTANT] > You should configure the appropriate security settings of these host processes if you must allow them to run. For example, configure the security settings in Microsoft Office to ensure that only signed and trusted macros are loaded. -- AppLocker rules allow or prevent an app from launching. AppLocker does not control the behavior of apps after they are launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. +- AppLocker rules allow or prevent an app from launching. AppLocker doesn't control the behavior of apps after they're launched. Applications could contain flags that are passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll file to be loaded. In practice, an app that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must follow a process that best suits your needs to thoroughly vet each app before allowing them to run using AppLocker rules. For more info, see [Security considerations for AppLocker](security-considerations-for-applocker.md). @@ -77,8 +77,8 @@ You might need to control a limited number of apps because they access sensitive AppLocker policies for Universal Windows apps can only be applied to apps that are installed on computers running Windows operating systems that support Microsoft Store apps. However, Classic Windows applications can be controlled in Windows Server 2008 R2 and Windows 7, in addition to those computers that support Universal Windows apps. The rules for Classic Windows applications and Universal Windows apps can be enforced together. The differences you should consider for Universal Windows apps are: -- All Universal Windows apps can be installed by a standard user, whereas a number of Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. -- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps cannot change the system state because they run with limited permissions. When you design your AppLocker policies, it is important to understand whether an app that you are allowing can make system-wide changes. +- All Universal Windows apps can be installed by a standard user, whereas many Classic Windows applications require administrative credentials to install. So in an environment where most of the users are standard users, you might not need numerous exe rules, but you might want more explicit policies for packaged apps. +- Classic Windows applications can be written to change the system state if they run with administrative credentials. Most Universal Windows apps can't change the system state because they run with limited permissions. When you design your AppLocker policies, it's important to understand whether an app that you're allowing can make system-wide changes. - Universal Windows apps can be acquired through the Store, or they can be side-loaded by using Windows PowerShell cmdlets. If you use Windows PowerShell cmdlets, a special Enterprise license is required to acquire Universal Windows apps. Classic Windows applications can be acquired through traditional means, such as through software vendors or retail distribution. AppLocker controls Universal Windows apps and Classic Windows applications by using different rule collections. You have the choice to control Universal Windows apps, Classic Windows applications, or both. @@ -91,7 +91,7 @@ Most organizations have evolved app control policies and methods over time. With | Possible answers | Design considerations | | - | - | -| Security polices (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| +| Security policies (locally set or through Group Policy) | Using AppLocker requires increased effort in planning to create correct policies, but this policy creation results in a simpler distribution method.| | Non-Microsoft app control software | Using AppLocker requires a complete app control policy evaluation and implementation.| | Managed usage by group or OU | Using AppLocker requires a complete app control policy evaluation and implementation.| | Authorization Manager or other role-based access technologies | Using AppLocker requires a complete app control policy evaluation and implementation.| @@ -103,7 +103,7 @@ If your organization supports multiple Windows operating systems, app control po |Possible answers|Design considerations| |--- |--- | -|Your organization's computers are running a combination of the following operating systems:
  • Windows 11
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
  • Windows XP
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

    **Note:** If you are using the Basic User security level as assigned in SRP, those privileges are not supported on computers running that support AppLocker.

    AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.| +|Your organization's computers are running a combination of the following operating systems:
  • Windows 11
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Vista
  • Windows XP
  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003|AppLocker rules are only applied to computers running the supported versions of Windows, but SRP rules can be applied to all versions of Windows beginning with Windows XP and Windows Server 2003. For specific operating system version requirements, see [Requirements to use AppLocker](requirements-to-use-applocker.md).

    **Note:** If you're using the Basic User security level as assigned in SRP, those privileges aren't supported on computers running that support AppLocker.

    AppLocker policies as applied through a GPO take precedence over SRP policies in the same or linked GPO. SRP policies can be created and maintained the same way.| |Your organization's computers are running only the following operating systems:
  • Windows 11
  • Windows 10
  • Windows 8.1
  • Windows 8
  • Windows 7
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2|Use AppLocker to create your application control policies.| ### Are there specific groups in your organization that need customized application control policies? @@ -112,7 +112,7 @@ Most business groups or departments have specific security requirements that per | Possible answers | Design considerations | | - | - | -| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.
    If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| +| Yes | For each group, you need to create a list that includes their application control requirements. Although this consideration may increase the planning time, it will most likely result in a more effective deployment.
    If your GPO structure isn't currently configured so that you can apply different policies to specific groups, you can alternatively apply AppLocker rules in a GPO to specific user groups.| | No | AppLocker policies can be applied globally to applications that are installed on PCs running the supported versions of Windows as listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.| ### Does your IT department have resources to analyze application usage, and to design and manage the policies? @@ -121,12 +121,12 @@ The time and resources that are available to you to perform the research and ana | Possible answers | Design considerations | | - | - | -| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.| -| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | +| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as constructed as possible.| +| No | Consider a focused and phased deployment for specific groups by using a few rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. | ### Does your organization have Help Desk support? -Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered. +Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow isn't hampered. | Possible answers | Design considerations | | - | - | @@ -140,7 +140,7 @@ Any successful application control policy implementation is based on your knowle | Possible answers | Design considerations | | - | - | | Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. | -| No | You will have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| +| No | You'll have to perform an audit and requirements gathering project to discover the application usage. AppLocker provides the means to deploy policies in **Audit only** mode, and tools to view the event logs.| ### How do you deploy or sanction applications (upgraded or new) in your organization? @@ -159,7 +159,7 @@ Although SRP and AppLocker have the same goal, AppLocker is a major revision of | Possible answers | Design considerations | | - | - | -| Yes | You cannot use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

    **Note:** If you are using the Basic User security level as assigned in SRP, those permissions are not supported on computers running the supported operating systems.| +| Yes | You can't use AppLocker to manage SRP settings, but you can use SRP to manage application control policies on computers running on any of the supported operating systems listed in [Requirements to use AppLocker](requirements-to-use-applocker.md). In addition, if AppLocker and SRP settings are configured in the same GPO, only the AppLocker settings will be enforced on computers running those supported operating systems.

    **Note:** If you're using the Basic User security level as assigned in SRP, those permissions aren't supported on computers running the supported operating systems.| | No | Policies that are configured for AppLocker can only be applied to computers running the supported operating systems, but SRP is also available on those operating systems. | ### What are your organization's priorities when implementing application control policies? @@ -168,19 +168,19 @@ Some organizations will benefit from application control policies as shown by an | Possible answers | Design considerations | | - | - | -| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | -| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps| +| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run various softwares from different sources, including software that they developed. Therefore, if innovation and productivity are a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. | +| Management: The organization is aware of and controls the applications it supports. | In some business groups, application usage can be managed from a central point of control. AppLocker policies can be built into a GPO for that purpose. This GPO shifts the burden of application access to the IT department, but it also has the benefit of controlling the number of applications that can be run and controlling the versions of those applications| | Security: The organization must protect data in part by ensuring that only approved apps are used. | AppLocker can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.| ### How are apps currently accessed in your organization? -AppLocker is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules. +AppLocker is effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a few rules. | Possible answers | Design considerations | | - | - | | Users run without administrative rights. | Apps are installed by using an installation deployment technology.| -| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

    **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it is important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. -| Users currently have administrator access, and it would be difficult to change this.|Enforcing AppLocker rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| +| AppLocker can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using AppLocker to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.

    **Note:** AppLocker can also be effective in helping create standardized desktops in organizations where users run as administrators. However, it's important to note that users with administrative credentials can add new rules to the local AppLocker policy.| Users must be able to install applications as needed. +| Users currently have administrator access, and it would be difficult to change this privilege.|Enforcing AppLocker rules isn't suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using AppLocker or to implement the **Audit only** enforcement setting through AppLocker.| ### Is the structure in Active Directory Domain Services based on the organization's hierarchy? diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 92bd84efc4..5afe6be646 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -36,7 +36,7 @@ If no AppLocker rules for a specific rule collection exist, all files with that A rule can be configured to use either an allow or deny action: - **Allow**. You can specify which files are allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. -- **Deny**. You can specify which files are not allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. +- **Deny**. You can specify which files aren't allowed to run in your environment and for which users or groups of users. You can also configure exceptions to identify files that are excluded from the rule. >**Important:**  You can use a combination of allow actions and deny actions. However, we recommend using allow actions with exceptions because deny actions override allow actions in all cases. Deny actions can also be circumvented. For example, if you configure a deny action for a file or folder path, the user can still run the file from any other path.   diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index 295497d103..d4eab6bcf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -33,9 +33,9 @@ This topic describes the result of applying AppLocker rule exceptions to rule co You can apply AppLocker rules to individual users or a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. -For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but does not allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception of the rule). +For example, the rule "Allow Everyone to run Windows except Registry Editor" allows Everyone to run Windows binaries, but doesn't allow anyone to run Registry Editor (by adding %WINDIR%\regedit.exe as a Path Exception for the rule). The effect of this rule would prevent users such as Helpdesk personnel from running the Registry Editor, a program that is necessary for their support tasks. -To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. +To resolve this problem, create a second rule that applies to the Helpdesk user group: "Allow Helpdesk to run Registry Editor" and add %WINDIR%\regedit.exe as an allowed path. If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Helpdesk user group to run Registry Editor. ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 2a8b980f8f..9e63783239 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the file hash rule condition in AppLocker (Windows) -description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. +description: This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. ms.assetid: 4c6d9af4-2b1a-40f4-8758-1a6f9f147756 ms.reviewer: ms.author: macapara @@ -29,9 +29,9 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. +This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it's applied. -File hash rules use a system-computed cryptographic hash of the identified file. For files that are not digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. +File hash rules use a system-computed cryptographic hash of the identified file. For files that aren't digitally signed, file hash rules are more secure than path rules. The following table describes the advantages and disadvantages of the file hash condition. | File hash condition advantages | File hash condition disadvantages | | - | - | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index 4aa28b9f43..e47540ebc1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the path rule condition in AppLocker (Windows) -description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. +description: This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. ms.assetid: 3fa54ded-4466-4f72-bea4-2612031cad43 ms.reviewer: ms.author: macapara @@ -29,7 +29,7 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. +This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it's applied. The path condition identifies an application by its location in the file system of the computer or on the network. @@ -39,11 +39,11 @@ When creating a rule that uses a deny action, path conditions are less secure th |--- |--- | |
  • You can easily control many folders or a single file.
  • You can use the asterisk (*) as a wildcard character within path rules.|
  • It might be less secure if a rule that is configured to use a folder path contains subfolders that are writable by non-administrators.
  • You must specify the full path to a file or folder when creating path rules so that the rule will be properly enforced.| -AppLocker does not enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. +AppLocker doesn't enforce rules that specify paths with short names. You should always specify the full path to a file or folder when creating path rules so that the rule will be properly enforced. The asterisk (\*) wildcard character can be used within **Path** field. The asterisk (\*) character used by itself represents any path. When combined with any string value, the rule is limited to the path of the file and all the files under that path. For example, %ProgramFiles%\\Internet Explorer\\\* indicates that all files and subfolders within the Internet Explorer folder will be affected by the rule. -AppLocker uses path variables for well-known directories in Windows. Path variables are not environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. +AppLocker uses path variables for well-known directories in Windows. Path variables aren't environment variables. The AppLocker engine can only interpret AppLocker path variables. The following table details these path variables. | Windows directory or drive | AppLocker path variable | Windows environment variable | diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 55d9299a0f..22ab048b3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -1,6 +1,6 @@ --- title: Understanding the publisher rule condition in AppLocker (Windows) -description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. +description: This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. ms.assetid: df61ed8f-a97e-4644-9d0a-2169f18c1c4f ms.reviewer: ms.author: macapara @@ -29,25 +29,25 @@ ms.technology: windows-sec >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). -This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. +This topic explains the AppLocker publisher rule condition, what controls are available, and how it's applied. Publisher conditions can be made only for files that are digitally signed; this condition identifies an app based on its digital signature and extended attributes. The digital signature contains information about the company that created the app (the publisher). The extended attributes, which are obtained from the binary resource, contain the name of the product that the app is part of and the version number of the app. The publisher may be a software development company, such as Microsoft, or the Information Technology department of your organization. -Publisher conditions are easier to maintain than file hash conditions and are generally more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages +Publisher conditions are easier to maintain than file hash conditions and are more secure than path conditions. Rules that are specified to the version level might have to be updated when a new version of the file is released. The following table describes the advantages and disadvantages of the publisher condition. |Publisher condition advantages|Publisher condition disadvantages| |--- |--- | -|
  • Frequent updating is not required.
  • You can apply different values within a certificate.
  • A single rule can be used to allow an entire product suite.
  • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
  • The file must be signed.
  • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| +|
  • Frequent updating isn't required.
  • You can apply different values within a certificate.
  • A single rule can be used to allow an entire product suite.
  • You can use the asterisk (*) wildcard character within a publisher rule to specify that any value should be matched.|
  • The file must be signed.
  • Although a single rule can be used to allow an entire product suite, all files in the suite must be signed uniformly.| Wildcard characters can be used as values in the publisher rule fields according to the following specifications: - **Publisher** - The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) is not a valid wildcard character in this field. + The asterisk (\*) character used by itself represents any publisher. When combined with any string value, the rule is limited to the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. For example, using the characters "M\*" limits the publisher name to only a publisher with the name "M\*." Using the characters "\*x\*" limits the publisher name only to the name “\*x\*”. A question mark (?) isn't a valid wildcard character in this field. - **Product name** - The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk is not treated as a wildcard character if used with other characters in this field. A question mark (?) is not a valid wildcard character in this field. + The asterisk (\*) character used by itself represents any product name. When combined with any string value, the rule is limited to the product of the publisher with a value in the signed certificate that matches the character string. In other words, the asterisk isn't treated as a wildcard character if used with other characters in this field. A question mark (?) isn't a valid wildcard character in this field. - **File name** diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index e054f32aa9..a5ef9054dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -33,7 +33,7 @@ This topic for the IT professional describes the steps to create and maintain Ap ## Background and prerequisites -An AppLocker reference device is a baseline device you can use to configure policies and can subsequently be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). +An AppLocker reference device is a baseline device you can use to configure policies and can then be used to maintain AppLocker policies. For the procedure to configure a reference device, see [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md). An AppLocker reference device that is used to create and maintain AppLocker policies should contain the corresponding apps for each organizational unit (OU) to mimic your production environment. @@ -43,7 +43,7 @@ You can perform AppLocker policy testing on the reference device by using the ** ## Step 1: Automatically generate rules on the reference device -With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For the procedure to do this, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). +With AppLocker, you can automatically generate rules for all files within a folder. AppLocker scans the specified folder and creates the condition types that you choose for each file in that folder. For information on how to automatically generate rules, see [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md). >**Note:**  If you run this wizard to create your first rules for a Group Policy Object (GPO), after you complete the wizard, you will be prompted to create the default rules, which allow critical system files to run. You can edit the default rules at any time. If your organization has decided to edit the default rules or create custom rules to allow the Windows system files to run, ensure that you delete the default rules after you replace them with your custom rules. @@ -55,7 +55,7 @@ AppLocker includes default rules for each rule collection. These rules are inten ## Step 3: Modify rules and the rule collection on the reference device -If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For the procedure to do this, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: +If AppLocker policies are currently running in your production environment, export the policies from the corresponding GPOs and save them to the reference device. For information on how to export and save the policies, see [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md). If no AppLocker policies have been deployed, create the rules and develop the policies by using the following procedures: - [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) - [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md) @@ -68,7 +68,7 @@ If AppLocker policies are currently running in your production environment, expo ## Step 4: Test and update AppLocker policy on the reference device -You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it is receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: +You should test each set of rules to ensure that they perform as intended. The **Test-AppLockerPolicy** Windows PowerShell cmdlet can be used to determine whether any of the rules in your rule collection will be blocked on your reference device. Perform the steps on each reference device that you used to define the AppLocker policy. Ensure that the reference device is joined to the domain and that it's receiving the AppLocker policy from the appropriate GPO. Because AppLocker rules are inherited from linked GPOs, you should deploy all of the rules to simultaneously test all of your test GPOs. Use the following procedures to complete this step: - [Test an AppLocker Policy with Test-AppLockerPolicy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791772(v=ws.10)) - [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) @@ -77,17 +77,17 @@ You should test each set of rules to ensure that they perform as intended. The * ## Step 5: Export and import the policy into production -When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that are not managed by Group Policy) and checked for its intended effectiveness. To do this, perform the following procedures: +When the AppLocker policy has been tested successfully, it can be imported into the GPO (or imported into individual computers that aren't managed by Group Policy) and checked for its intended effectiveness. To do these tasks, perform the following procedures: - [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md) - [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md) or - [Discover the Effect of an AppLocker Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee791823(v=ws.10)) -If the AppLocker policy enforcement setting is **Audit only** and you are satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). +If the AppLocker policy enforcement setting is **Audit only** and you're satisfied that the policy is fulfilling your intent, you can change it to **Enforce rules**. For info about how to change the enforcement setting, see [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md). ## Step 6: Monitor the effect of the policy in production -If additional refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: +If more refinements or updates are necessary after a policy is deployed, use the appropriate following procedures to monitor and update the policy: - [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md) - [Edit an AppLocker policy](edit-an-applocker-policy.md) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 40d68279fe..37a691a28f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -34,7 +34,7 @@ This topic for IT professionals describes concepts and procedures to help you ma ## Using AppLocker and Software Restriction Policies in the same domain AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running -Windows Server 2008 R2, Windows 7 and later. It is recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, +Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored. The following table compares the features and functions of Software Restriction Policies (SRP) and AppLocker. @@ -45,15 +45,15 @@ The following table compares the features and functions of Software Restriction |Policy creation|SRP policies are maintained through Group Policy and only the administrator of the GPO can update the SRP policy. The administrator on the local computer can modify the SRP policies defined in the local GPO.|AppLocker policies are maintained through Group Policy and only the administrator of the GPO can update the policy. The administrator on the local computer can modify the AppLocker policies defined in the local GPO.

    AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).|AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.| |Policy application|SRP policies are distributed through Group Policy.|AppLocker policies are distributed through Group Policy.| -|Enforcement mode|SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

    SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there is a matching allow rule.| -|File types that can be controlled|SRP can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers

    SRP cannot control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| +|Enforcement mode|SRP works in the “blocklist mode” where administrators can create rules for files that they don't want to allow in this Enterprise whereas the rest of the file is allowed to run by default.

    SRP can also be configured in the “allowlist mode” so that by default all files are blocked and administrators need to create allow rules for files that they want to allow.|AppLocker by default works in the “allowlist mode” where only those files are allowed to run for which there's a matching allow rule.| +|File types that can be controlled|SRP can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers

    SRP can't control each file type separately. All SRP rules are in a single rule collection.|AppLocker can control the following file types:
  • Executables
  • Dlls
  • Scripts
  • Windows Installers
  • Packaged apps and installers

    AppLocker maintains a separate rule collection for each of the five file types.| |Designated file types|SRP supports an extensible list of file types that are considered executable. Administrators can add extensions for files that should be considered executable.|AppLocker currently supports the following file extensions:
  • Executables (.exe, .com)
  • Dlls (.ocx, .dll)
  • Scripts (.vbs, .js, .ps1, .cmd, .bat)
  • Windows Installers (.msi, .mst, .msp)
  • Packaged app installers (.appx)| |Rule types|SRP supports four types of rules:
  • Hash
  • Path
  • Signature
  • Internet zone|AppLocker supports three types of rules:
  • File hash
  • Path
  • Publisher| -|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.

    Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.| -|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

    SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker does not support security levels.| +|Editing the hash value|In Windows XP, you could use SRP to provide custom hash values.

    Beginning with Windows 7 and Windows Server 2008 R2, you can only select the file to hash, and not provide the hash value.|AppLocker computes the hash value itself. Internally, it uses the SHA2 Authenticode hash for Portable Executables (exe and dll) and Windows Installers and an SHA2 flat file hash for the rest.| +|Support for different security levels|With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.

    SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).|AppLocker doesn't support security levels.| |Manage Packaged apps and Packaged app installers.|Not supported|.appx is a valid file type which AppLocker can manage.| |Targeting a rule to a user or a group of users|SRP rules apply to all users on a particular computer.|AppLocker rules can be targeted to a specific user or a group of users.| -|Support for rule exceptions|SRP does not support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.| -|Support for audit mode|SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.| -|Support for exporting and importing policies|SRP does not support policy import/export.|AppLocker supports the importing and exporting of policies. This allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.| +|Support for rule exceptions|SRP doesn't support rule exceptions.|AppLocker rules can have exceptions, which allow you to create rules such as “Allow everything from Windows except for regedit.exe”.| +|Support for audit mode|SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.|AppLocker supports audit mode, which allows you to test the effect of their policy in the real production environment without impacting the user experience. Once you're satisfied with the results, you can start enforcing the policy.| +|Support for exporting and importing policies|SRP doesn't support policy import/export.|AppLocker supports the importing and exporting of policies. This support by AppLocker allows you to create AppLocker policy on a sample device, test it out and then export that policy and import it back into the desired GPO.| |Rule enforcement|Internally, SRP rules enforcement happens in the user-mode, which is less secure.|Internally, AppLocker rules for .exe and .dll files are enforced in the kernel-mode, which is more secure than enforcing them in the user-mode.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index 636ea5f18b..2751109b02 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -43,7 +43,7 @@ Local Security policy snap-in, you must be a member of the local **Administrator The [Get-AppLockerFileInformation](/powershell/module/applocker/get-applockerfileinformation) cmdlet retrieves the AppLocker file information from a list of files or from an event log. File information that is retrieved can include publisher information, file hash information, and file path information. -File information from an event log may not contain all of these fields. Files that are not signed do not have any publisher information. +File information from an event log may not contain all of these fields. Files that aren't signed don't have any publisher information. ### Set AppLocker policy @@ -62,6 +62,6 @@ list of file information. The [Test-AppLockerPolicy](/powershell/module/applocker/test-applockerpolicy) cmdlet uses the specified AppLocker policy to test whether a specified list of files are allowed to run or not on the local device for a specific user. -## Additional resources +## Other resources - For steps to perform other AppLocker policy tasks, see [Administer AppLocker](administer-applocker.md). \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 0274a768dd..c034755acb 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -39,7 +39,7 @@ The AppLocker log contains information about applications that are affected by A - The rule name - The security identifier (SID) for the user or group identified in the rule -Review the entries in the Event Viewer to determine if any applications are not included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). +Review the entries in the Event Viewer to determine if any applications aren't included in the rules that you automatically generated. For instance, some line-of-business apps are installed to non-standard locations, such as the root of the active drive (for example: %SystemDrive%). For info about what to look for in the AppLocker event logs, see [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md). @@ -52,14 +52,14 @@ The following table contains information about the events that you can use to de | Event ID | Level | Event message | Description | | - | - | - | - | -| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy was not applied correctly to the computer. The status message is provided for troubleshooting purposes.| +| 8000 | Error| Application Identity Policy conversion failed. Status *<%1> *| Indicates that the policy wasn't applied correctly to the computer. The status message is provided for troubleshooting purposes.| | 8001 | Information| The AppLocker policy was applied successfully to this computer.| Indicates that the AppLocker policy was successfully applied to the computer.| | 8002 | Information| *<File name> * was allowed to run.| Specifies that the .exe or .dll file is allowed by an AppLocker rule.| -| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file cannot run.| +| 8003 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the .exe or .dll file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8004 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The .exe or .dll file can't run.| | 8005| Information| *<File name> * was allowed to run.| Specifies that the script or .msi file is allowed by an AppLocker rule.| -| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy were enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | -| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file cannot run.| +| 8006 | Warning| *<File name> * was allowed to run but would have been prevented from running if the AppLocker policy was enforced.| Applied only when the **Audit only** enforcement mode is enabled. Specifies that the script or .msi file would be blocked if the **Enforce rules** enforcement mode were enabled. | +| 8007 | Error| *<File name> * was not allowed to run.| Access to *<file name>* is restricted by the administrator. Applied only when the **Enforce rules** enforcement mode is set either directly or indirectly through Group Policy inheritance. The script or .msi file can't run.| | 8008| Error| AppLocker disabled on the SKU.| Added in Windows Server 2012 and Windows 8.| | 8020| Information| Packaged app allowed.| Added in Windows Server 2012 and Windows 8.| | 8021| Information| Packaged app audited.| Added in Windows Server 2012 and Windows 8.| @@ -68,12 +68,12 @@ The following table contains information about the events that you can use to de | 8024 | Information| Packaged app installation audited.| Added in Windows Server 2012 and Windows 8.| | 8025 | Warning| Packaged app installation disabled.| Added in Windows Server 2012 and Windows 8.| | 8027 | Warning| No Packaged app rule configured.| Added in Windows Server 2012 and Windows 8.| -| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy were enforced.| Added in Windows Server 2016 and Windows 10.| +| 8028 | Warning | * was allowed to run but would have been prevented if the Config CI policy was enforced.| Added in Windows Server 2016 and Windows 10.| | 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| -| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| -| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit Applocker Policy. | Added in Windows Server 2016 and Windows 10.| +| 8032 | Esrror | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10.| | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8036 | Error | * was prevented from running due to Config CI policy | Added in Windows Server 2016 and Windows 10.| diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 47f5faeacd..96c1644d3a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -37,7 +37,7 @@ You might want to deploy application control policies in Windows operating syste ## Use SRP and AppLocker in the same domain -SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they are applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). +SRP and AppLocker use Group Policy for domain management. However, when policies are generated by SRP and AppLocker exist in the same domain, and they're applied through Group Policy, AppLocker policies take precedence over policies generated by SRP on computers that are running an operating system that supports AppLocker. For info about how inheritance in Group Policy applies to AppLocker policies and policies generated by SRP, see [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md). >**Important:**  As a best practice, use separate Group Policy Objects to implement your SRP and AppLocker policies. To reduce troubleshooting issues, do not combine them in the same GPO. @@ -45,15 +45,15 @@ The following scenario provides an example of how each type of policy would affe | Operating system | Tellers GPO with AppLocker policy | Tellers GPO with SRP | Tellers GPO with AppLocker policy and SRP | | - | - | - | - | -| Windows 10, Windows 8.1, Windows 8,and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| -| Windows Vista| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| -| Windows XP| AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies are not applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows 10, Windows 8.1, Windows 8, and Windows 7 | AppLocker policies in the GPO are applied, and they supersede any local AppLocker policies.| Local AppLocker policies supersede policies generated by SRP that are applied through the GPO. | AppLocker policies in the GPO are applied, and they supersede the policies generated by SRP in the GPO and local AppLocker policies or policies generated by SRP.| +| Windows Vista| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP.AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| +| Windows XP| AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies aren't applied.| Policies generated by SRP in the GPO are applied, and they supersede local policies generated by SRP. AppLocker policies not applied.| >**Note:**  For info about supported versions and editions of the Windows operating system, see [Requirements to use AppLocker](requirements-to-use-applocker.md). ## Test and validate SRPs and AppLocker policies that are deployed in the same environment -Because SRPs and AppLocker policies function differently, they should not be implemented in the same GPO. This makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. +Because SRPs and AppLocker policies function differently, they shouldn't be implemented in the same GPO. This rule, when implemented, makes testing the result of the policy straightforward, which is critical to successfully controlling application usage in the organization. Configuring a testing and policy distribution system can help you understand the result of a policy. The effects of policies generated by SRP and AppLocker policies need to be tested separately and by using different tools. ### Step 1: Test the effect of SRPs diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index 1196a83dee..dc46fa241d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -76,10 +76,10 @@ The following table compares the application control functions of Software Restr |User support|SRP allows users to install applications as an administrator.|AppLocker policies are maintained through Group Policy, and only the administrator of the device can update an AppLocker policy.

    AppLocker permits customization of error messages to direct users to a Web page for help.| |Policy maintenance|SRP policies are updated by using the Local Security Policy snap-in or the Group Policy Management Console (GPMC).|AppLocker policies are updated by using the Local Security Policy snap-in or the GPMC.

    AppLocker supports a small set of PowerShell cmdlets to aid in administration and maintenance.| |Policy management infrastructure|To manage SRP policies, SRP uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.|To manage AppLocker policies, AppLocker uses Group Policy within a domain and the Local Security Policy snap-in for a local computer.| -|Block malicious scripts|Rules for blocking malicious scripts prevents all scripts associated with the Windows Script Host from running, except those that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.| +|Block malicious scripts|Rules for blocking malicious scripts prevent all scripts associated with the Windows Script Host from running, except those scripts that are digitally signed by your organization.|AppLocker rules can control the following file formats: .ps1, .bat, .cmd, .vbs, and .js. In addition, you can set exceptions to allow specific files to run.| |Manage software installation|SRP can prevent all Windows Installer packages from installing. It allows .msi files that are digitally signed by your organization to be installed.|The Windows Installer rule collection is a set of rules created for Windows Installer file types (.mst, .msi and .msp) to allow you to control the installation of files on client computers and servers.| |Manage all software on the computer|All software is managed in one rule set. By default, the policy for managing all software on a device disallows all software on the user's device, except software that is installed in the Windows folder, Program Files folder, or subfolders.|Unlike SRP, each AppLocker rule collection functions as an allowed list of files. Only the files that are listed within the rule collection will be allowed to run. This configuration makes it easier for administrators to determine what will occur when an AppLocker rule is applied.| -|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. Using AppLocker, an administrator can specify the user to whom a specific rule should apply.| +|Different policies for different users|Rules are applied uniformly to all users on a particular device.|On a device that is shared by multiple users, an administrator can specify the groups of users who can access the installed software. An administrator uses AppLocker to specify the user to whom a specific rule should apply.| ## Related topics diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 4379162473..4ad45cf9e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -37,7 +37,7 @@ This topic for IT professionals describes AppLocker rule types and how to work w | [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a path condition.| | [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md) | This topic for IT professionals shows how to create an AppLocker rule with a publisher condition.| | [Create AppLocker default rules](create-applocker-default-rules.md) | This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run.| -| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule.| +| [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md) | This topic for IT professionals describes the steps to specify which apps can or can't run as exceptions to an AppLocker rule.| | [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md) | This topic for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition.| | [Delete an AppLocker rule](delete-an-applocker-rule.md) | This topic for IT professionals describes the steps to delete an AppLocker rule.| | [Edit AppLocker rules](edit-applocker-rules.md) | This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker.| @@ -49,11 +49,11 @@ The three AppLocker enforcement modes are described in the following table. The | Enforcement mode | Description | | - | - | -| **Not configured** | This is the default setting which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| +| **Not configured** | This is the default setting, which means that the rules defined here will be enforced unless a linked GPO with a higher precedence has a different value for this setting.| | **Enforce rules** | Rules are enforced.| -| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection are not enforced| +| **Audit only** | Rules are audited but not enforced. When a user runs an app that is affected by an AppLocker rule, the app is allowed to run and the info about the app is added to the AppLocker event log. The Audit-only enforcement mode helps you determine which apps will be affected by the policy before the policy is enforced. When the AppLocker policy for a rule collection is set to **Audit only**, rules for that rule collection aren't enforced| -When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged and the enforcement mode setting of the winning GPO is applied. +When AppLocker policies from various GPOs are merged, the rules from all the GPOs are merged, and the enforcement mode setting of the winning GPO is applied. ## Rule collections The AppLocker console is organized into rule collections, which are executable files, scripts, Windows Installer files, packaged apps and packaged app installers, and DLL files. These collections give you an easy way to differentiate the rules for different types of apps. The following table lists the file formats that are included in each rule collection. @@ -70,9 +70,9 @@ The AppLocker console is organized into rule collections, which are executable f When DLL rules are used, AppLocker must check each DLL that an application loads. Therefore, users may experience a reduction in performance if DLL rules are used. -The DLL rule collection is not enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). +The DLL rule collection isn't enabled by default. To learn how to enable the DLL rule collection, see [DLL rule collections](#bkmk-dllrulecollections). -EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it is a valid PE file. +EXE rules apply to portable executable (PE) files. AppLocker checks whether a file is a valid PE file, rather than just applying rules based on file extension, which attackers can easily change. Regardless of the file extension, the AppLocker EXE rule collection will work on a file as long as it's a valid PE file. ## Rule conditions @@ -84,13 +84,13 @@ Rule conditions are criteria that help AppLocker identify the apps to which the ### Publisher -This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. In case of executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. In case of packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. +This condition identifies an app based on its digital signature and extended attributes when available. The digital signature contains info about the company that created the app (the publisher). Executable files, dlls, Windows installers, packaged apps and packaged app installers also have extended attributes, which are obtained from the binary resource. If there's executable files, dlls and Windows installers, these attributes contain the name of the product that the file is a part of, the original name of the file as supplied by the publisher, and the version number of the file. If there are packaged apps and packaged app installers, these extended attributes contain the name and the version of the app package. > **Note:** Rules created in the packaged apps and packaged app installers rule collection can only have publisher conditions since Windows does not support unsigned packaged apps and packaged app installers. > > **Note:** Use a publisher rule condition when possible because they can survive app updates as well as a change in the location of files. -When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving the slider up or by using a wildcard character (\*) in the product, file name, or version number fields. +When you select a reference file for a publisher condition, the wizard creates a rule that specifies the publisher, product, file name, and version number. You can make the rule more generic by moving up the slider or by using a wildcard character (\*) in the product, file name, or version number fields. >**Note:**  To enter custom values for any of the fields of a publisher rule condition in the Create Rules Wizard, you must select the **Use custom values** check box. When this check box is selected, you cannot use the slider. @@ -108,8 +108,8 @@ The following table describes how a publisher condition is applied. | **All signed files** | All files that are signed by any publisher.| | **Publisher only**| All files that are signed by the named publisher.| | **Publisher and product name**| All files for the specified product that are signed by the named publisher.| -| **Publisher and product name, and file name**| Any version of the named file or package for the named product that are signed by the publisher.| -| **Publisher, product name, file name, and file version**| **Exactly**
    The specified version of the named file or package for the named product that are signed by the publisher.| +| **Publisher and product name, and file name**| Any version of the named file or package for the named product that is signed by the publisher.| +| **Publisher, product name, file name, and file version**| **Exactly**
    The specified version of the named file or package for the named product that is signed by the publisher.| | **Publisher, product name, file name, and file version**| **And above**
    The specified version of the named file or package and any new releases for the product that are signed by the publisher.| | **Publisher, product name, file name, and file version**| **And below**
    The specified version of the named file or package and any earlier versions for the product that are signed by the publisher.| | **Custom**| You can edit the **Publisher**, **Product name**, **File name**, **Version** **Package name**, and **Package version** fields to create a custom rule.| @@ -184,13 +184,13 @@ A rule can be configured to use allow or deny actions: ## Rule exceptions -You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it does not allow anyone to run Registry Editor. +You can apply AppLocker rules to individual users or to a group of users. If you apply a rule to a group of users, all users in that group are affected by that rule. If you need to allow a subset of a user group to use an app, you can create a special rule for that subset. For example, the rule "Allow everyone to run Windows except Registry Editor" allows everyone in the organization to run the Windows operating system, but it doesn't allow anyone to run Registry Editor. -The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that does not allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. +The effect of this rule would prevent users such as Help Desk personnel from running a program that is necessary for their support tasks. To resolve this problem, create a second rule that applies to the Help Desk user group: "Allow Help Desk to run Registry Editor." If you create a deny rule that doesn't allow any users to run Registry Editor, the deny rule will override the second rule that allows the Help Desk user group to run Registry Editor. ## DLL rule collection -Because the DLL rule collection is not enabled by default, you must perform the following procedure before you can create and enforce DLL rules. +Because the DLL rule collection isn't enabled by default, you must perform the following procedure before you can create and enforce DLL rules. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. @@ -208,21 +208,21 @@ Membership in the local **Administrators** group, or equivalent, is the minimum You can create rules by using two AppLocker wizards: 1. The Create Rules Wizard enables you to create one rule at a time. -2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or in case of packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. +2. The Automatically Generate Rules Wizard allows you to create multiple rules at one time. You can either select a folder and let the wizard create rules for the relevant files within that folder or if there are packaged apps let the wizard create rules for all packaged apps installed on the computer. You can also specify the user or group to which to apply the rules. This wizard automatically generates allow rules only. -## Additional considerations +## Other considerations -- By default, AppLocker rules do not allow users to open or run any files that are not specifically allowed. Administrators should maintain an up-to-date list of allowed applications. -- There are two types of AppLocker conditions that do not persist following an update of an app: +- By default, AppLocker rules don't allow users to open or run any files that aren't allowed. Administrators should maintain an up-to-date list of allowed applications. +- There are two types of AppLocker conditions that don't persist following an update of an app: - **A file hash condition** File hash rule conditions can be used with any app because a cryptographic hash value of the app is generated at the time the rule is created. However, the hash value is specific to that exact version of the app. If there are several versions of the application in use within the organization, you need to create file hash conditions for each version in use and for any new versions that are released. - - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule cannot persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. + - **A publisher condition with a specific product version set** If you create a publisher rule condition that uses the **Exactly** version option, the rule can't persist if a new version of the app is installed. A new publisher condition must be created, or the version must be edited in the rule to be made less specific. -- If an app is not digitally signed, you cannot use a publisher rule condition for that app. -- AppLocker rules cannot be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. +- If an app isn't digitally signed, you can't use a publisher rule condition for that app. +- AppLocker rules can't be used to manage computers running a Windows operating system earlier than Windows Server 2008 R2 or Windows 7. Software Restriction Policies must be used instead. If AppLocker rules are defined in a Group Policy Object (GPO), only those rules are applied. To ensure interoperability between Software Restriction Policies rules and AppLocker rules, define Software Restriction Policies rules and AppLocker rules in different GPOs. - The packaged apps and packaged apps installer rule collection is available on devices running at least Windows Server 2012 and Windows 8. -- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection does not contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection. -- When an AppLocker rule collection is set to **Audit only**, the rules are not enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. +- When the rules for the executable rule collection are enforced and the packaged apps and packaged app installers rule collection doesn't contain any rules, no packaged apps and packaged app installers are allowed to run. In order to allow any packaged apps and packaged app installers, you must create rules for the packaged apps and packaged app installers rule collection. +- When an AppLocker rule collection is set to **Audit only**, the rules aren't enforced. When a user runs an application that is included in the rule, the app is opened and runs normally, and information about that app is added to the AppLocker event log. - A custom configured URL can be included in the message that is displayed when an app is blocked. -- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they cannot run apps that are not allowed. +- Expect an increase in the number of Help Desk calls initially because of blocked apps until users understand that they can't run apps that aren't allowed. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 839aa3a791..ec6a1a8178 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -33,7 +33,7 @@ Windows 10 (version 1703) introduced a new option for Windows Defender Applicati ## How does a managed installer work? -Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they are tagged as originating from a managed installer. +Managed installer uses a special rule collection in **AppLocker** to designate binaries that are trusted by your organization as an authorized source for application installation. When one of these trusted binaries runs, Windows monitors the binary's process (and processes it launches) and watches for files being written to disk. As files are written, they're tagged as originating from a managed installer. You can then configure WDAC to trust files that are installed by a managed installer by adding the "Enabled:Managed Installer" option to your WDAC policy. When that option is set, WDAC will check for managed installer origin information when determining whether or not to allow a binary to run. As long as there are no deny rules for the binary, WDAC will allow it to run based purely on its managed installer origin. @@ -45,7 +45,7 @@ Users with administrator privileges, or malware running as an administrator user If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers may automatically run the application at the end of the installation process. If this happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. +Some application installers may automatically run the application at the end of the installation process. If this execution of the application happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer @@ -66,11 +66,11 @@ To turn on managed installer tracking, you must: ### Create and deploy an AppLocker policy that defines your managed installer rules and enables services enforcement for executables and DLLs -Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. +Currently, both the AppLocker policy creation UI in GPO Editor and the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use an XML or text editor to convert an EXE rule collection policy into a ManagedInstaller rule collection. > [!NOTE] > Only EXE file types can be designated as managed installers. -1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability. +1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you're designating as a managed installer. This example creates a rule for Microsoft's Intune Management Extension using the Publisher rule type, but any AppLocker rule type can be used. You may need to reformat the output for readability. ```powershell Get-ChildItem ${env:ProgramFiles(x86)}'\Microsoft Intune Management Extension\Microsoft.Management.Services.IntuneWindowsAgent.exe' | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher -User Everyone -Xml > AppLocker_MI_PS_ISE.xml @@ -125,7 +125,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ``` -4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This ensures the policy will merge successfully on devices which may already have an AppLocker policy in place. +4. Verify your AppLocker policy. The following example shows a complete AppLocker policy that sets Configuration Manager and Microsoft Endpoint Manager Intune as managed installers. Only those AppLocker rule collections that have actual rules defined are included in the final XML. This condition-based inclusion ensures the policy will merge successfully on devices that may already have an AppLocker policy in place. ```xml @@ -205,7 +205,7 @@ Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerS ## Enable the managed installer option in WDAC policy In order to enable trust for the binaries laid down by managed installers, the "Enabled: Managed Installer" option must be specified in your WDAC policy. -This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. +This setting can be defined by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13. Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option. @@ -232,7 +232,7 @@ Below are steps to create a WDAC policy that allows Windows to boot and enables ## Remove Managed Installer feature -To remove the Managed Installer feature from the device, you will need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems). +To remove the Managed Installer feature from the device, you'll need to remove the Managed Installer AppLocker policy from the device by following the instructions at [Delete an AppLocker rule: Clear AppLocker policies on a single system or remote systems](applocker/delete-an-applocker-rule.md#to-clear-applocker-policies-on-a-single-system-or-remote-systems). ## Related articles From b5bafd05e92d6d2c87af4d777a87840931a44d7e Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 11:18:22 +0530 Subject: [PATCH 11/77] removed contractions wherever not needed --- windows/security/threat-protection/auditing/event-4957.md | 4 ++-- windows/security/threat-protection/auditing/event-4958.md | 2 +- windows/security/threat-protection/auditing/event-5038.md | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index 0f2cc44b6b..d7ab9532ec 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4957(F): Windows Firewall didn't apply the following rule. +# 4957(F): Windows Firewall did not apply the following rule. Event 4957 illustration @@ -83,7 +83,7 @@ This event generates when Windows Firewall starts or apply new rule, and the rul ## Security Monitoring Recommendations -For 4957(F): Windows Firewall didn't apply the following rule. +For 4957(F): Windows Firewall did not apply the following rule. - This event can be a sign of software issues, Windows Firewall registry errors or corruption, or Group Policy setting misconfigurations. We recommend monitoring this event and investigating the reason for the condition. Typically this event indicates configuration issues, not security issues. diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index 5e6f8b57f9..e471571683 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 4958(F): Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. +# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. Windows Firewall with Advanced Security processed a rule that contains parameters that can't be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This exclusion isn't necessarily an error. Examine the rule for applicability on the computers to which it was applied. diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 44d9fafb84..147a3a02be 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -14,7 +14,7 @@ ms.author: dansimp ms.technology: windows-sec --- -# 5038(F): Code integrity determined that the image hash of a file isn't valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. +# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error. From 86fb982436f420aed812fc743252544ca29ed2b1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 11:59:18 +0530 Subject: [PATCH 12/77] Removed contractions --- .../allow-log-on-through-remote-desktop-services.md | 4 ++-- .../devices-allow-undock-without-having-to-log-on.md | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 6a4eff29c5..1a7f1af9a1 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -1,5 +1,5 @@ --- -title: Allow a sign in through Remote Desktop Services (Windows 10) +title: Allow log on through Remote Desktop Services (Windows 10) description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow a sign in through Remote Desktop Services. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: @@ -18,7 +18,7 @@ ms.date: 04/19/2017 ms.technology: windows-sec --- -# Allow sign in through Remote Desktop Services +# Allow log on through Remote Desktop Services **Applies to** - Windows 10 diff --git a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md index fd60b876a5..c0aaf647df 100644 --- a/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/devices-allow-undock-without-having-to-log-on.md @@ -1,5 +1,5 @@ --- -title: Devices Allow undock without having to sign in (Windows 10) +title: Devices Allow undock without having to log on (Windows 10) description: Describes the best practices, location, values, and security considerations for the Devices Allow undock without having to sign in security policy setting. ms.assetid: 1d403f5d-ad41-4bb4-9f4a-0779c1c14b8c ms.reviewer: @@ -18,7 +18,7 @@ ms.date: 04/19/2017 ms.technology: windows-sec --- -# Devices: Allow undock without having to sign in +# Devices: Allow undock without having to log on **Applies to** - Windows 10 @@ -79,6 +79,7 @@ If this policy setting is enabled, anyone with physical access to portable compu ### Countermeasure Disable the **Devices: Allow undock without having to log on** setting. + ### Potential impact Users who have docked their device must sign in to the local console before they can undock their computers. For devices that don't have docking stations, this policy setting has no impact. From 3ac815a31412ead6ac00d1f2e863e3b98d9419bf Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 12:04:52 +0530 Subject: [PATCH 13/77] Update maximum-tolerance-for-computer-clock-synchronization.md --- .../maximum-tolerance-for-computer-clock-synchronization.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md index a3684bbc31..e010602641 100644 --- a/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md +++ b/windows/security/threat-protection/security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md @@ -30,7 +30,7 @@ Describes the best practices, location, values, policy management, and security This security setting determines the maximum time difference (in minutes) that Kerberos V5 tolerates between the time on the client clock and the time on the domain controller that provides Kerberos authentication. To prevent "replay attacks," the Kerberos v5 protocol uses time stamps as part of its protocol definition. For time stamps to work properly, the clocks of the client and the domain controller need to be in sync as much as possible. In other words, both devices must be set to the same time and date. -Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, anytime stamp that is used in a session between the two devices is considered to be authentic. +Because the clocks of two computers are often out of sync, you can use this policy setting to establish the maximum acceptable difference to the Kerberos protocol between a client clock and domain controller clock. If the difference between a client computer clock and the domain controller clock is less than the maximum time difference that is specified in this policy, any timestamp that's used in a session between the two devices is considered to be authentic. The possible values for this Group Policy setting are: @@ -85,7 +85,7 @@ This section describes how an attacker might exploit a feature or its configurat ### Vulnerability -To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, anytime stamp that is used in a session between the two computers is considered to be authentic. +To prevent "replay attacks" (which are attacks in which an authentication credential is resubmitted by a malicious user or program to gain access to a protected resource), the Kerberos protocol uses time stamps as part of its definition. For time stamps to work properly, the clocks of the client computer and the domain controller need to be closely synchronized. Because the clocks of two computers are often not synchronized, administrators can use this policy to establish the maximum acceptable difference to the Kerberos protocol between a client computer clock and a domain controller clock. If the difference between the client computer clock and the domain controller clock is less than the maximum time difference specified in this setting, any timestamp that's used in a session between the two computers is considered to be authentic. ### Countermeasure From 7978790d0b42c0d7533fdf9c76ece2b9808eb545 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 12:21:31 +0530 Subject: [PATCH 14/77] made changes to language --- .../monitor-application-usage-with-applocker.md | 10 +++++----- ...uthorized-apps-deployed-with-a-managed-installer.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 0545d013ef..8ffba58478 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -41,25 +41,25 @@ You can evaluate how the AppLocker policy is currently implemented for documenta When AppLocker policy enforcement is set to **Enforce rules**, rules are enforced for the rule collection and all events are audited. When AppLocker policy enforcement is set to **Audit only**, rules aren't enforced but are still evaluated to generate audit event data that is written to the AppLocker logs. - For information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). + For more information on the procedure to access the log, see [View the AppLocker Log in Event Viewer](#bkmk-applkr-view-log). - **Enable the Audit only AppLocker enforcement setting** By using the **Audit only** enforcement setting, you can ensure that the AppLocker rules are properly configured for your organization. When AppLocker policy enforcement is set to **Audit only**, rules are only evaluated but all events generated from that evaluation are written to the AppLocker log. - For information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). + For more information on the procedure to do this configuration, see [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md). - **Review AppLocker events with Get-AppLockerFileInformation** For both event subscriptions and local events, you can use the **Get-AppLockerFileInformation** Windows PowerShell cmdlet to determine which files have been blocked or would have been blocked (if you're using the audit-only enforcement mode) and how many times the event has occurred for each file. - For information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). + For more information on the procedure to do this verification, see [Review AppLocker Events with Get-AppLockerFileInformation](#bkmk-applkr-review-events). - **Review AppLocker events with Test-AppLockerPolicy** You can use the **Test-AppLockerPolicy** Windows PowerShell cmdlet to determine whether any of the rules in your rule collections will be blocked on your reference device or the device on which you maintain policies. - For information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). + For more information on the procedure to do this testing, see [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md). ### Review AppLocker events with Get-AppLockerFileInformation @@ -93,7 +93,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum **To view events in the AppLocker log by using Event Viewer** -1. Open Event Viewer by clicking **Start**, typing **eventvwr.msc**, and then pressing ENTER. +1. To open Event Viewer, go to the **Start**, type **eventvwr.msc**, and then select ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index ec6a1a8178..21091a96b4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -45,7 +45,7 @@ Users with administrator privileges, or malware running as an administrator user If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers may automatically run the application at the end of the installation process. If this execution of the application happens when the installer is run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. +Some application installers may automatically run the application at the end of the installation process. If the application runs, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer From 5e2a0ebace67caa46c4e345687b5b40a2633e302 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 12:22:16 +0530 Subject: [PATCH 15/77] Update configure-authorized-apps-deployed-with-a-managed-installer.md --- ...nfigure-authorized-apps-deployed-with-a-managed-installer.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md index 21091a96b4..4a69a73487 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md @@ -45,7 +45,7 @@ Users with administrator privileges, or malware running as an administrator user If a managed installer process runs in the context of a user with standard privileges, then it's possible that standard users or malware running as standard user may be able to circumvent the intent of Windows Defender Application Control. -Some application installers may automatically run the application at the end of the installation process. If the application runs, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. +Some application installers may automatically run the application at the end of the installation process. If the application runs automatically, and the installer was run by a managed installer, then the managed installer's heuristic tracking and authorization will extend to all files that are created during the first run of the application. This extension could result in unintentional authorization of an executable. To avoid that, ensure that the method of application deployment that is used as a managed installer limits running applications as part of installation. ## Known limitations with managed installer From e02f321bd708a4d1bfdedb435cf2828319639d77 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 13:09:46 +0530 Subject: [PATCH 16/77] Made further corrections --- windows/security/threat-protection/auditing/event-4957.md | 2 +- windows/security/threat-protection/auditing/event-4958.md | 2 +- windows/security/threat-protection/auditing/event-5038.md | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md index d7ab9532ec..5abad05870 100644 --- a/windows/security/threat-protection/auditing/event-4957.md +++ b/windows/security/threat-protection/auditing/event-4957.md @@ -1,5 +1,5 @@ --- -title: 4957(F) Windows Firewall didn't apply the following rule. (Windows 10) +title: 4957(F) Windows Firewall did not apply the following rule. (Windows 10) description: Describes security event 4957(F) Windows Firewall didn't apply the following rule. ms.pagetype: security ms.prod: m365-security diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md index e471571683..4bd2da3a99 100644 --- a/windows/security/threat-protection/auditing/event-4958.md +++ b/windows/security/threat-protection/auditing/event-4958.md @@ -1,5 +1,5 @@ --- -title: 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. (Windows 10) +title: 4958(F) Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer. (Windows 10) description: Describes security event 4958(F) Windows Firewall didn't apply the following rule because the rule referred to items not configured on this computer. ms.pagetype: security ms.prod: m365-security diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md index 147a3a02be..60b2f51b2d 100644 --- a/windows/security/threat-protection/auditing/event-5038.md +++ b/windows/security/threat-protection/auditing/event-5038.md @@ -1,5 +1,5 @@ --- -title: 5038(F) Code integrity determined that the image hash of a file isn't valid. (Windows 10) +title: 5038(F) Code integrity determined that the image hash of a file is not valid. (Windows 10) description: Describes security event 5038(F) Code integrity determined that the image hash of a file isn't valid. ms.pagetype: security ms.prod: m365-security From 25f518eb782dfce6435eb5e3f096e4b55c3e3649 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 25 Jul 2022 13:50:34 +0530 Subject: [PATCH 17/77] Update monitor-application-usage-with-applocker.md --- .../applocker/monitor-application-usage-with-applocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 8ffba58478..2a7f113724 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -93,7 +93,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum **To view events in the AppLocker log by using Event Viewer** -1. To open Event Viewer, go to the **Start**, type **eventvwr.msc**, and then select ENTER. +1. To open Event Viewer, go to the **Start** menu, type **eventvwr.msc**, and then select ENTER. 2. In the console tree under **Application and Services Logs\\Microsoft\\Windows**, double-click **AppLocker**. AppLocker events are listed in either the **EXE and DLL** log, the **MSI and Script** log, or the **Packaged app-Deployment** or **Packaged app-Execution** log. Event information includes the enforcement setting, file name, date and time, and user name. The logs can be exported to other file From 9057609ee01ec8fd85b9c9f2c4d9232e16a5b194 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Tue, 2 Aug 2022 19:05:14 -0400 Subject: [PATCH 18/77] Revise MDM TOC --- windows/client-management/mdm/toc.yml | 260 +++++++++++++------------- 1 file changed, 131 insertions(+), 129 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index a95c47c94f..1057e236f3 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,18 +1,18 @@ items: - name: Mobile device management href: index.md - items: + items: - name: What's new in MDM enrollment and management href: new-in-windows-mdm-enrollment-management.md - items: + items: - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md - name: Mobile device enrollment href: mobile-device-enrollment.md - items: + items: - name: MDM enrollment of Windows devices href: mdm-enrollment-of-windows-devices.md - items: + items: - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - name: Enroll a Windows 10 device automatically using Group Policy @@ -23,39 +23,38 @@ items: href: certificate-authentication-device-enrollment.md - name: On-premises authentication device enrollment href: on-premise-authentication-device-enrollment.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Disconnecting from the management infrastructure (unenrollment) + href: disconnecting-from-mdm-unenrollment.md + - name: Support for mobile application management on Windows + href: implement-server-side-mobile-application-management.md - name: Understanding ADMX policies href: understanding-admx-backed-policies.md - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md - - name: Implement server-side support for mobile application management on Windows - href: implement-server-side-mobile-application-management.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md - name: Azure Active Directory integration with MDM href: azure-active-directory-integration-with-mdm.md - items: + items: - name: Add an Azure AD tenant and Azure AD subscription href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - name: Register your free Azure Active Directory subscription href: register-your-free-azure-active-directory-subscription.md + - name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md - name: Enterprise app management href: enterprise-app-management.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - items: + items: + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md - name: REST API reference for Microsoft Store for Business href: rest-api-reference-windows-store-for-business.md - items: + items: - name: Data structures for Microsoft Store for Business href: data-structures-windows-store-for-business.md - name: Get Inventory @@ -82,88 +81,91 @@ items: href: bulk-assign-and-reclaim-seats-from-user.md - name: Get seats assigned to a user href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md - - name: Disconnecting from the management infrastructure (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - name: Push notification support for device management href: push-notification-windows-mdm.md - - name: OMA DM protocol support - href: oma-dm-protocol-support.md - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md - name: Using PowerShell scripting with the WMI Bridge Provider href: using-powershell-scripting-with-the-wmi-bridge-provider.md - name: WMI providers supported in Windows 10 href: wmi-providers-supported-in-windows.md + - name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md + - name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md - name: Configuration service provider reference href: configuration-service-provider-reference.md - items: + items: - name: AccountManagement CSP href: accountmanagement-csp.md - items: + items: - name: AccountManagement DDF file href: accountmanagement-ddf.md - name: Accounts CSP href: accounts-csp.md - items: + items: - name: Accounts DDF file href: accounts-ddf-file.md - name: ActiveSync CSP href: activesync-csp.md - items: + items: - name: ActiveSync DDF file href: activesync-ddf-file.md - name: AllJoynManagement CSP href: alljoynmanagement-csp.md - items: + items: - name: AllJoynManagement DDF href: alljoynmanagement-ddf.md - name: APPLICATION CSP href: application-csp.md - name: ApplicationControl CSP href: applicationcontrol-csp.md - items: + items: - name: ApplicationControl DDF file href: applicationcontrol-csp-ddf.md - name: AppLocker CSP href: applocker-csp.md - items: + items: - name: AppLocker DDF file href: applocker-ddf-file.md - name: AppLocker XSD href: applocker-xsd.md - name: AssignedAccess CSP href: assignedaccess-csp.md - items: + items: - name: AssignedAccess DDF file href: assignedaccess-ddf.md - name: BitLocker CSP href: bitlocker-csp.md - items: + items: - name: BitLocker DDF file href: bitlocker-ddf-file.md - name: CellularSettings CSP href: cellularsettings-csp.md - name: CertificateStore CSP href: certificatestore-csp.md - items: + items: - name: CertificateStore DDF file href: certificatestore-ddf-file.md - name: CleanPC CSP href: cleanpc-csp.md - items: + items: - name: CleanPC DDF href: cleanpc-ddf.md - name: ClientCertificateInstall CSP href: clientcertificateinstall-csp.md - items: + items: - name: ClientCertificateInstall DDF file href: clientcertificateinstall-ddf-file.md - name: CM_CellularEntries CSP @@ -172,131 +174,131 @@ items: href: cmpolicy-csp.md - name: CMPolicyEnterprise CSP href: cmpolicyenterprise-csp.md - items: + items: - name: CMPolicyEnterprise DDF file href: cmpolicyenterprise-ddf-file.md - name: CustomDeviceUI CSP href: customdeviceui-csp.md - items: + items: - name: CustomDeviceUI DDF file href: customdeviceui-ddf.md - name: Defender CSP href: defender-csp.md - items: + items: - name: Defender DDF file href: defender-ddf.md - name: DevDetail CSP href: devdetail-csp.md - items: + items: - name: DevDetail DDF file href: devdetail-ddf-file.md - name: DeveloperSetup CSP href: developersetup-csp.md - items: + items: - name: DeveloperSetup DDF href: developersetup-ddf.md - name: DeviceLock CSP href: devicelock-csp.md - items: + items: - name: DeviceLock DDF file href: devicelock-ddf-file.md - name: DeviceManageability CSP href: devicemanageability-csp.md - items: + items: - name: DeviceManageability DDF href: devicemanageability-ddf.md - name: DeviceStatus CSP href: devicestatus-csp.md - items: + items: - name: DeviceStatus DDF href: devicestatus-ddf.md - name: DevInfo CSP href: devinfo-csp.md - items: + items: - name: DevInfo DDF file href: devinfo-ddf-file.md - name: DiagnosticLog CSP href: diagnosticlog-csp.md - items: + items: - name: DiagnosticLog DDF file href: diagnosticlog-ddf.md - name: DMAcc CSP href: dmacc-csp.md - items: + items: - name: DMAcc DDF file href: dmacc-ddf-file.md - name: DMClient CSP href: dmclient-csp.md - items: + items: - name: DMClient DDF file href: dmclient-ddf-file.md - name: DMSessionActions CSP href: dmsessionactions-csp.md - items: + items: - name: DMSessionActions DDF file href: dmsessionactions-ddf.md - name: DynamicManagement CSP href: dynamicmanagement-csp.md - items: + items: - name: DynamicManagement DDF file href: dynamicmanagement-ddf.md - name: EMAIL2 CSP href: email2-csp.md - items: + items: - name: EMAIL2 DDF file href: email2-ddf-file.md - name: EnrollmentStatusTracking CSP href: enrollmentstatustracking-csp.md - items: + items: - name: EnrollmentStatusTracking DDF file href: enrollmentstatustracking-csp-ddf.md - name: EnterpriseAPN CSP href: enterpriseapn-csp.md - items: + items: - name: EnterpriseAPN DDF href: enterpriseapn-ddf.md - name: EnterpriseAppVManagement CSP href: enterpriseappvmanagement-csp.md - items: + items: - name: EnterpriseAppVManagement DDF file href: enterpriseappvmanagement-ddf.md - name: EnterpriseDataProtection CSP href: enterprisedataprotection-csp.md - items: + items: - name: EnterpriseDataProtection DDF file href: enterprisedataprotection-ddf-file.md - name: EnterpriseDesktopAppManagement CSP href: enterprisedesktopappmanagement-csp.md - items: + items: - name: EnterpriseDesktopAppManagement DDF href: enterprisedesktopappmanagement-ddf-file.md - name: EnterpriseDesktopAppManagement XSD href: enterprisedesktopappmanagement2-xsd.md - name: EnterpriseModernAppManagement CSP href: enterprisemodernappmanagement-csp.md - items: + items: - name: EnterpriseModernAppManagement DDF href: enterprisemodernappmanagement-ddf.md - name: EnterpriseModernAppManagement XSD href: enterprisemodernappmanagement-xsd.md - name: eUICCs CSP href: euiccs-csp.md - items: + items: - name: eUICCs DDF file href: euiccs-ddf-file.md - name: Firewall CSP href: firewall-csp.md - items: + items: - name: Firewall DDF file href: firewall-ddf-file.md - name: HealthAttestation CSP href: healthattestation-csp.md - items: + items: - name: HealthAttestation DDF href: healthattestation-ddf.md - name: MultiSIM CSP href: multisim-csp.md - items: + items: - name: MultiSIM DDF file href: multisim-ddf.md - name: NAP CSP @@ -305,37 +307,37 @@ items: href: napdef-csp.md - name: NetworkProxy CSP href: networkproxy-csp.md - items: + items: - name: NetworkProxy DDF file href: networkproxy-ddf.md - name: NetworkQoSPolicy CSP href: networkqospolicy-csp.md - items: + items: - name: NetworkQoSPolicy DDF file href: networkqospolicy-ddf.md - name: NodeCache CSP href: nodecache-csp.md - items: + items: - name: NodeCache DDF file href: nodecache-ddf-file.md - name: Office CSP href: office-csp.md - items: + items: - name: Office DDF href: office-ddf.md - name: PassportForWork CSP href: passportforwork-csp.md - items: + items: - name: PassportForWork DDF file href: passportforwork-ddf.md - name: Personalization CSP href: personalization-csp.md - items: + items: - name: Personalization DDF file href: personalization-ddf.md - name: Policy CSP href: policy-configuration-service-provider.md - items: + items: - name: Policy CSP DDF file href: policy-ddf-file.md - name: Policies in Policy CSP supported by Group Policy @@ -367,7 +369,7 @@ items: - name: ADMX_AddRemovePrograms href: policy-csp-admx-addremoveprograms.md - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md + href: policy-csp-admx-admpwd.md - name: ADMX_AppCompat href: policy-csp-admx-appcompat.md - name: ADMX_AppxPackageManager @@ -407,7 +409,7 @@ items: - name: ADMX_DeviceCompat href: policy-csp-admx-devicecompat.md - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md + href: policy-csp-admx-deviceguard.md - name: ADMX_DeviceInstallation href: policy-csp-admx-deviceinstallation.md - name: ADMX_DeviceSetup @@ -417,7 +419,7 @@ items: - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md + href: policy-csp-admx-diskdiagnostic.md - name: ADMX_DistributedLinkTracking href: policy-csp-admx-distributedlinktracking.md - name: ADMX_DnsClient @@ -429,7 +431,7 @@ items: - name: ADMX_EncryptFilesonMove href: policy-csp-admx-encryptfilesonmove.md - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md + href: policy-csp-admx-eventlogging.md - name: ADMX_EnhancedStorage href: policy-csp-admx-enhancedstorage.md - name: ADMX_ErrorReporting @@ -439,15 +441,15 @@ items: - name: ADMX_EventLog href: policy-csp-admx-eventlog.md - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md + href: policy-csp-admx-eventviewer.md - name: ADMX_Explorer href: policy-csp-admx-explorer.md - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md + href: policy-csp-admx-externalboot.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md + href: policy-csp-admx-filerevocation.md - name: ADMX_FileServerVSSProvider href: policy-csp-admx-fileservervssprovider.md - name: ADMX_FileSys @@ -457,7 +459,7 @@ items: - name: ADMX_FramePanes href: policy-csp-admx-framepanes.md - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md + href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy @@ -473,7 +475,7 @@ items: - name: ADMX_IIS href: policy-csp-admx-iis.md - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md + href: policy-csp-admx-iscsi.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos @@ -483,11 +485,11 @@ items: - name: ADMX_LanmanWorkstation href: policy-csp-admx-lanmanworkstation.md - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md + href: policy-csp-admx-leakdiagnostic.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md + href: policy-csp-admx-locationprovideradm.md - name: ADMX_Logon href: policy-csp-admx-logon.md - name: ADMX_MicrosoftDefenderAntivirus @@ -521,11 +523,11 @@ items: - name: ADMX_OfflineFiles href: policy-csp-admx-offlinefiles.md - name: ADMX_pca - href: policy-csp-admx-pca.md + href: policy-csp-admx-pca.md - name: ADMX_PeerToPeerCaching href: policy-csp-admx-peertopeercaching.md - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md + href: policy-csp-admx-pentraining.md - name: ADMX_PerformanceDiagnostics href: policy-csp-admx-performancediagnostics.md - name: ADMX_Power @@ -533,7 +535,7 @@ items: - name: ADMX_PowerShellExecutionPolicy href: policy-csp-admx-powershellexecutionpolicy.md - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md + href: policy-csp-admx-previousversions.md - name: ADMX_Printing href: policy-csp-admx-printing.md - name: ADMX_Printing2 @@ -553,13 +555,13 @@ items: - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -569,7 +571,7 @@ items: - name: ADMX_Sharing href: policy-csp-admx-sharing.md - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md + href: policy-csp-admx-shellcommandpromptregedittools.md - name: ADMX_Smartcard href: policy-csp-admx-smartcard.md - name: ADMX_Snmp @@ -585,11 +587,11 @@ items: - name: ADMX_tcpip href: policy-csp-admx-tcpip.md - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md + href: policy-csp-admx-terminalserver.md - name: ADMX_Thumbnails href: policy-csp-admx-thumbnails.md - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md + href: policy-csp-admx-touchinput.md - name: ADMX_TPM href: policy-csp-admx-tpm.md - name: ADMX_UserExperienceVirtualization @@ -601,7 +603,7 @@ items: - name: ADMX_WCM href: policy-csp-admx-wcm.md - name: ADMX_WDI - href: policy-csp-admx-wdi.md + href: policy-csp-admx-wdi.md - name: ADMX_WinCal href: policy-csp-admx-wincal.md - name: ADMX_WindowsConnectNow @@ -625,9 +627,9 @@ items: - name: ADMX_wlansvc href: policy-csp-admx-wlansvc.md - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md + href: policy-csp-admx-wordwheel.md - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md + href: policy-csp-admx-workfoldersclient.md - name: ADMX_WPN href: policy-csp-admx-wpn.md - name: ApplicationDefaults @@ -834,94 +836,94 @@ items: href: pxlogical-csp.md - name: Reboot CSP href: reboot-csp.md - items: + items: - name: Reboot DDF file href: reboot-ddf-file.md - name: RemoteFind CSP href: remotefind-csp.md - items: + items: - name: RemoteFind DDF file href: remotefind-ddf-file.md - name: RemoteWipe CSP href: remotewipe-csp.md - items: + items: - name: RemoteWipe DDF file href: remotewipe-ddf-file.md - name: Reporting CSP href: reporting-csp.md - items: + items: - name: Reporting DDF file href: reporting-ddf-file.md - name: RootCATrustedCertificates CSP href: rootcacertificates-csp.md - items: + items: - name: RootCATrustedCertificates DDF file href: rootcacertificates-ddf-file.md - name: SecureAssessment CSP href: secureassessment-csp.md - items: + items: - name: SecureAssessment DDF file href: secureassessment-ddf-file.md - name: SecurityPolicy CSP href: securitypolicy-csp.md - name: SharedPC CSP href: sharedpc-csp.md - items: + items: - name: SharedPC DDF file href: sharedpc-ddf-file.md - name: Storage CSP href: storage-csp.md - items: + items: - name: Storage DDF file href: storage-ddf-file.md - name: SUPL CSP href: supl-csp.md - items: + items: - name: SUPL DDF file href: supl-ddf-file.md - name: SurfaceHub CSP href: surfacehub-csp.md - items: + items: - name: SurfaceHub DDF file href: surfacehub-ddf-file.md - name: TenantLockdown CSP href: tenantlockdown-csp.md - items: + items: - name: TenantLockdown DDF file href: tenantlockdown-ddf.md - name: TPMPolicy CSP href: tpmpolicy-csp.md - items: + items: - name: TPMPolicy DDF file href: tpmpolicy-ddf-file.md - name: UEFI CSP href: uefi-csp.md - items: + items: - name: UEFI DDF file href: uefi-ddf.md - name: UnifiedWriteFilter CSP href: unifiedwritefilter-csp.md - items: + items: - name: UnifiedWriteFilter DDF file href: unifiedwritefilter-ddf.md - name: UniversalPrint CSP href: universalprint-csp.md - items: + items: - name: UniversalPrint DDF file href: universalprint-ddf-file.md - name: Update CSP href: update-csp.md - items: + items: - name: Update DDF file href: update-ddf-file.md - name: VPN CSP href: vpn-csp.md - items: + items: - name: VPN DDF file href: vpn-ddf-file.md - name: VPNv2 CSP href: vpnv2-csp.md - items: + items: - name: VPNv2 DDF file href: vpnv2-ddf-file.md - name: ProfileXML XSD @@ -934,41 +936,41 @@ items: href: w7-application-csp.md - name: WiFi CSP href: wifi-csp.md - items: + items: - name: WiFi DDF file href: wifi-ddf-file.md - name: Win32AppInventory CSP href: win32appinventory-csp.md - items: + items: - name: Win32AppInventory DDF file href: win32appinventory-ddf-file.md - name: Win32CompatibilityAppraiser CSP href: win32compatibilityappraiser-csp.md - items: + items: - name: Win32CompatibilityAppraiser DDF file href: win32compatibilityappraiser-ddf.md - name: WindowsAdvancedThreatProtection CSP href: windowsadvancedthreatprotection-csp.md - items: + items: - name: WindowsAdvancedThreatProtection DDF file href: windowsadvancedthreatprotection-ddf.md - name: WindowsAutopilot CSP href: windowsautopilot-csp.md - items: + items: - name: WindowsAutopilot DDF file href: windowsautopilot-ddf-file.md - name: WindowsDefenderApplicationGuard CSP href: windowsdefenderapplicationguard-csp.md - items: + items: - name: WindowsDefenderApplicationGuard DDF file href: windowsdefenderapplicationguard-ddf-file.md - name: WindowsLicensing CSP href: windowslicensing-csp.md - items: + items: - name: WindowsLicensing DDF file href: windowslicensing-ddf-file.md - name: WiredNetwork CSP href: wirednetwork-csp.md - items: + items: - name: WiredNetwork DDF file href: wirednetwork-ddf-file.md From 67345185d72c3be8315e67b72b487f1397b5eed0 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 10:55:13 -0400 Subject: [PATCH 19/77] Update TOC --- ...rver-side-mobile-application-management.md | 72 +- windows/client-management/mdm/toc.yml | 1941 ++++++++--------- 2 files changed, 1006 insertions(+), 1007 deletions(-) diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md index e17aa75f60..09eb2a8003 100644 --- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md +++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md @@ -1,77 +1,77 @@ --- -title: Implement server-side support for mobile application management on Windows +title: Support for mobile application management on Windows description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices. ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: dansimp -ms.date: 06/26/2017 -ms.reviewer: +ms.date: 08/03/2022 +ms.reviewer: manager: dansimp --- -# Implement server-side support for mobile application management on Windows +# Support for mobile application management on Windows The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703. ## Integration with Azure AD -MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  +MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD-integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  -MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. +MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD-integrated MDM services are provided in an organization, a user's personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices. -On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. +On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD-integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**. -Regular non-admin users can enroll to MAM.  +Regular non-admin users can enroll to MAM.  -## Integration with Windows Information Protection +## Integration with Windows Information Protection -MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  +MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they don't handle personal data, and therefore, it's safe for Windows to protect data on their behalf.  -To make applications WIP-aware, app developers need to include the following data in the app resource file. +To make applications WIP-aware, app developers need to include the following data in the app resource file. ``` syntax -// Mark this binary as Allowed for WIP (EDP) purpose  - MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID - BEGIN - 0x0001 - END  +// Mark this binary as Allowed for WIP (EDP) purpose  + MICROSOFTEDPAUTOPROTECTIONALLOWEDAPPINFO EDPAUTOPROTECTIONALLOWEDAPPINFOID + BEGIN + 0x0001 + END  ``` ## Configuring an Azure AD tenant for MAM enrollment -MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  +MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. With Azure AD in Windows 10, version 1703, onward, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you've already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  :::image type="content" alt-text="Mobile application management app." source="images/implement-server-side-mobile-application-management.png"::: -MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. +MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. > [!NOTE] -> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  +> If the MDM service in an organization isn't integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  ## MAM enrollment -MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  +MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](/openspecs/windows_protocols/ms-mde2/4d7eadd5-3951-4f1c-8159-c39e07cbe692). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  -Below are protocol changes for MAM enrollment:  -- MDM discovery isn't supported. +Below are protocol changes for MAM enrollment:  +- MDM discovery isn't supported. - APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional. -- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. +- MAM enrollment variation of [MS-MDE2] protocol doesn't support the client authentication certificate, and therefore doesn't support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. -Here's an example provisioning XML for MAM enrollment. +Here's an example provisioning XML for MAM enrollment. ```xml - - - - - - - - - + + + + + + + + + ``` Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours. @@ -93,14 +93,14 @@ MAM on Windows supports the following configuration service providers (CSPs). Al - [Reporting CSP](reporting-csp.md) for retrieving Windows Information Protection logs. - [RootCaTrustedCertificates CSP](rootcacertificates-csp.md). - [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. -- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. +- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. ## Device lock policies and EAS -MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. +MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. -We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: +We don't recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: - When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies, and reports compliance with EAS. - If the device is found to be compliant, EAS will report compliance with the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance doesn't require device admin rights. diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1057e236f3..2e9e664a1f 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -2,975 +2,974 @@ items: - name: Mobile device management href: index.md items: - - name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md + - name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md + - name: Change history for MDM documentation + href: change-history-for-mdm-documentation.md + - name: Support for mobile application management on Windows + href: implement-server-side-mobile-application-management.md +- name: Mobile device enrollment + href: mobile-device-enrollment.md + items: + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Disconnecting from the management infrastructure (unenrollment) + href: disconnecting-from-mdm-unenrollment.md +- name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md +- name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md +- name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md + items: + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md items: - - name: Change history for MDM documentation - href: change-history-for-mdm-documentation.md - - name: Mobile device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - items: - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Disconnecting from the management infrastructure (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Support for mobile application management on Windows - href: implement-server-side-mobile-application-management.md - - name: Understanding ADMX policies - href: understanding-admx-backed-policies.md - items: - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - - name: Enterprise app management - href: enterprise-app-management.md - items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md - items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: OMA DM protocol support - href: oma-dm-protocol-support.md - items: - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md - - name: Configuration service provider reference - href: configuration-service-provider-reference.md - items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md +- name: Push notification support for device management + href: push-notification-windows-mdm.md +- name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md +- name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md +- name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md +- name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md +- name: Configuration service provider reference + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md + items: + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md + items: + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md + items: + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md From 51d2581c901a48285a07553ab9b7a3c91c5662de Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 3 Aug 2022 10:21:54 -0500 Subject: [PATCH 20/77] Update windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md --- .../applocker/using-event-viewer-with-applocker.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index c034755acb..59111cd93d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -72,7 +72,7 @@ The following table contains information about the events that you can use to de | 8029 | Error | * was prevented from running due to Config CI policy.| Added in Windows Server 2016 and Windows 10.| | 8030 | Information | ManagedInstaller check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8031 | Information | SmartlockerFilter detected file * being written by process * | Added in Windows Server 2016 and Windows 10.| -| 8032 | Esrror | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| +| 8032 | Error | ManagedInstaller check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8033 | Warning | ManagedInstaller check FAILED during Appid verification of * . Allowed to run due to Audit AppLocker Policy. | Added in Windows Server 2016 and Windows 10.| | 8034 | Information | ManagedInstaller Script check FAILED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| | 8035 | Error | ManagedInstaller Script check SUCCEEDED during Appid verification of * | Added in Windows Server 2016 and Windows 10.| From 26c3ac581b9e30f2de73c0a96136c17b44af6e2d Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 3 Aug 2022 11:06:30 -0500 Subject: [PATCH 21/77] Update windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md --- .../allow-log-on-through-remote-desktop-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md index 1a7f1af9a1..595d9b29e8 100644 --- a/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md +++ b/windows/security/threat-protection/security-policy-settings/allow-log-on-through-remote-desktop-services.md @@ -1,6 +1,6 @@ --- title: Allow log on through Remote Desktop Services (Windows 10) -description: Best practices, location, values, policy management, and security considerations for the security policy setting, Allow a sign in through Remote Desktop Services. +description: Best practices, location, values, policy management, and security considerations for the security policy setting. Allow a sign-in through Remote Desktop Services. ms.assetid: 6267c376-8199-4f2b-ae56-9c5424e76798 ms.reviewer: ms.author: dansimp From 777d90e1f3705c4f9f2733baa9e0703abd60e95e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 12:24:56 -0400 Subject: [PATCH 22/77] More changes --- windows/client-management/mdm/toc.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 2e9e664a1f..5f0e2c8c5c 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -6,8 +6,6 @@ items: href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md - - name: Support for mobile application management on Windows - href: implement-server-side-mobile-application-management.md - name: Mobile device enrollment href: mobile-device-enrollment.md items: @@ -88,6 +86,8 @@ items: href: certificate-renewal-windows-mdm.md - name: Push notification support for device management href: push-notification-windows-mdm.md +- name: Support for mobile application management on Windows + href: implement-server-side-mobile-application-management.md - name: Using PowerShell scripting with the WMI Bridge Provider href: using-powershell-scripting-with-the-wmi-bridge-provider.md - name: WMI providers supported in Windows 10 From 3c80b701b5020db88937a871d42cd7ad171c8ede Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Wed, 3 Aug 2022 11:25:35 -0500 Subject: [PATCH 23/77] Update windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml --- .../microsoft-defender-application-guard/faq-md-app-guard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 3faf1c9416..603c2014c5 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -43,7 +43,7 @@ sections: To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can: - - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral”. + - Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.” - It must be an FQDN. A simple IP address won't work. - Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard. From 231a0fd12828d303072af31dcd886b85af6d9fe4 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 12:35:11 -0400 Subject: [PATCH 24/77] More changes --- windows/client-management/mdm/toc.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 5f0e2c8c5c..28320c233a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -84,16 +84,16 @@ items: href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md -- name: Push notification support for device management - href: push-notification-windows-mdm.md -- name: Support for mobile application management on Windows - href: implement-server-side-mobile-application-management.md - name: Using PowerShell scripting with the WMI Bridge Provider href: using-powershell-scripting-with-the-wmi-bridge-provider.md - name: WMI providers supported in Windows 10 href: wmi-providers-supported-in-windows.md - name: Diagnose MDM failures in Windows 10 href: diagnose-mdm-failures-in-windows-10.md +- name: Push notification support for device management + href: push-notification-windows-mdm.md +- name: MAM support for device management + href: implement-server-side-mobile-application-management.md - name: OMA DM protocol support href: oma-dm-protocol-support.md items: From 74504f8f4e65d047c7a465a2f110f2c7da37c02c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 14:25:20 -0400 Subject: [PATCH 25/77] Test changes --- windows/client-management/mdm/toc.yml | 194 +++++++++++++------------- 1 file changed, 97 insertions(+), 97 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 28320c233a..88cd2cf968 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,109 +1,109 @@ items: -- name: Mobile device management +- name: Mobile Device Management href: index.md items: - name: What's new in MDM enrollment and management href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md -- name: Mobile device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Disconnecting from the management infrastructure (unenrollment) - href: disconnecting-from-mdm-unenrollment.md -- name: Understanding ADMX policies - href: understanding-admx-backed-policies.md - items: - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md -- name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md -- name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - items: - - name: Enterprise app management - href: enterprise-app-management.md + - name: Device enrollment + href: mobile-device-enrollment.md items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Disconnecting from the management infrastructure (unenrollment) + href: disconnecting-from-mdm-unenrollment.md + - name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md + - name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md + - name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md -- name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md -- name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md -- name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md -- name: Push notification support for device management - href: push-notification-windows-mdm.md -- name: MAM support for device management - href: implement-server-side-mobile-application-management.md -- name: OMA DM protocol support - href: oma-dm-protocol-support.md - items: - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md -- name: Configuration service provider reference + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md + items: + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md + - name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md + - name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md + - name: Push notification support for device management + href: push-notification-windows-mdm.md + - name: MAM support for device management + href: implement-server-side-mobile-application-management.md + - name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md + - name: Configuration service provider reference href: configuration-service-provider-reference.md items: - name: AccountManagement CSP From 2b3e8f3690441f253dd1d4f48488a417067114ea Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 14:28:27 -0400 Subject: [PATCH 26/77] Fix yaml --- windows/client-management/mdm/toc.yml | 1738 ++++++++++++------------- 1 file changed, 869 insertions(+), 869 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 88cd2cf968..2b93a887bd 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -104,872 +104,872 @@ items: - name: DMProcessConfigXMLFiltered href: dmprocessconfigxmlfiltered.md - name: Configuration service provider reference - href: configuration-service-provider-reference.md - items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md + items: + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md + items: + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md + items: + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md From da89e80564ee9204a356bc51aa94e3ce2019fa44 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 14:54:51 -0400 Subject: [PATCH 27/77] More changes --- windows/client-management/mdm/toc.yml | 1926 ++++++++++++------------- 1 file changed, 963 insertions(+), 963 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 2b93a887bd..e77a877869 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,975 +1,975 @@ items: - name: Mobile Device Management href: index.md +- name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md items: - - name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md - - name: Device enrollment - href: mobile-device-enrollment.md +- name: Device enrollment + href: mobile-device-enrollment.md + items: + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Disconnecting a device from MDM (unenrollment) + href: disconnecting-from-mdm-unenrollment.md +- name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md +- name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md +- name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Disconnecting from the management infrastructure (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Understanding ADMX policies - href: understanding-admx-backed-policies.md + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md + items: + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md +- name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md +- name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md +- name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md +- name: Push notification support for device management + href: push-notification-windows-mdm.md +- name: MAM support for device management + href: implement-server-side-mobile-application-management.md +- name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md +- name: Configuration service provider reference + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md items: - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md items: - - name: Enterprise app management - href: enterprise-app-management.md - items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md - items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md - - name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: MAM support for device management - href: implement-server-side-mobile-application-management.md - - name: OMA DM protocol support - href: oma-dm-protocol-support.md + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md items: - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md - - name: Configuration service provider reference - href: configuration-service-provider-reference.md + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md From 334d2b62ad9eaa6aab0e850ac50d6fd2414b0363 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Wed, 3 Aug 2022 18:05:20 -0400 Subject: [PATCH 28/77] Indent one level --- windows/client-management/mdm/toc.yml | 1939 +++++++++++++------------ 1 file changed, 970 insertions(+), 969 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index e77a877869..4d565bd3f7 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,975 +1,976 @@ items: - name: Mobile Device Management href: index.md -- name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md items: - - name: Change history for MDM documentation - href: change-history-for-mdm-documentation.md -- name: Device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Disconnecting a device from MDM (unenrollment) - href: disconnecting-from-mdm-unenrollment.md -- name: Understanding ADMX policies - href: understanding-admx-backed-policies.md - items: - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md -- name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md -- name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - items: - - name: Enterprise app management - href: enterprise-app-management.md + - name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md + - name: Change history for MDM documentation + href: change-history-for-mdm-documentation.md + - name: Device enrollment + href: mobile-device-enrollment.md + items: + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Disconnecting a device from MDM (unenrollment) + href: disconnecting-from-mdm-unenrollment.md + - name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md + - name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md + - name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md -- name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md -- name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md -- name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md -- name: Push notification support for device management - href: push-notification-windows-mdm.md -- name: MAM support for device management - href: implement-server-side-mobile-application-management.md -- name: OMA DM protocol support - href: oma-dm-protocol-support.md - items: - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md -- name: Configuration service provider reference - href: configuration-service-provider-reference.md - items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md + items: + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md + - name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md + - name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md + - name: Push notification support for device management + href: push-notification-windows-mdm.md + - name: MAM support for device management + href: implement-server-side-mobile-application-management.md + - name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md + - name: Configuration service provider reference + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md + items: + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md + items: + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md + items: + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md From cce13d6a47c9f5f106bb53576b3d764307217cd3 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:35:44 +0530 Subject: [PATCH 29/77] Updated-6247330 Converted DO FAQ to YAML and added to the TOC. --- windows/deployment/do/TOC.yml | 4 +- ... => waas-delivery-optimization-faq-old.md} | 0 .../update/waas-delivery-optimization-faq.yml | 105 ++++++++++++++++++ 3 files changed, 108 insertions(+), 1 deletion(-) rename windows/deployment/update/{waas-delivery-optimization-faq.md => waas-delivery-optimization-faq-old.md} (100%) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.yml diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index ba824d08fb..5a0793025d 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -7,7 +7,9 @@ href: waas-delivery-optimization.md - name: What's new href: whats-new-do.md - + - name: Delivery Optimization Frequently Asked Questions + href: waas-delivery-optimization-faq.yml + - name: Configure Delivery Optimization diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.md rename to windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/update/waas-delivery-optimization-faq.yml new file mode 100644 index 0000000000..956bf2799c --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.yml @@ -0,0 +1,105 @@ +### YamlMime:FAQ +metadata: + title: Delivery Optimization Frequently Asked Questions + description: The following is a list of frequently asked questions for Delivery Optimization. + ms.assetid: c40f87ac-17d3-47b2-afc6-6c641f72ecee + ms.reviewer: aaroncz + ms.prod: m365-security + ms.mktglfcycl: explore + ms.sitesec: library + ms.pagetype: security + ms.localizationpriority: medium + author: carmenf + ms.author: carmenf + manager: dougeby + audience: ITPro + ms.collection: + - M365-security-compliance + - highpri + ms.topic: faq + ms.date: 08/04/2022 + ms.custom: seo-marvel-apr2020 +title: Delivery Optimization Frequently Asked Questions +summary: | + **Applies to** + - Windows 10 + - Windows 11 + + +sections: + - name: Ignored + questions: + - question: Does Delivery Optimization work with WSUS? + answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + + - question: Which ports does Delivery Optimization use? + answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + + - question: What are the requirements if I use a proxy? + answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + + - question: What hostnames should I allow through my firewall to support Delivery Optimization? + answer: | + **For communication between clients and the Delivery Optimization cloud service**: + + - `*.do.dsp.mp.microsoft.com` + + **For Delivery Optimization metadata**: + + - `*.dl.delivery.mp.microsoft.com` + - `*.emdl.ws.microsoft.com` + + **For the payloads (optional)**: + + - `*.download.windowsupdate.com` + - `*.windowsupdate.com` + + **For group peers across multiple NATs (Teredo)**: + + - `win1910.ipv6.microsoft.com` + + - question: Does Delivery Optimization use multicast? + answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + + - question: How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + answer: Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + + - question: How does Delivery Optimization handle VPNs? + answer: | + Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + + If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + + If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + + With split tunneling, make sure to allow direct access to these endpoints: + + Delivery Optimization service endpoint: + + - `https://*.prod.do.dsp.mp.microsoft.com` + + Delivery Optimization metadata: + + - `http://emdl.ws.microsoft.com` + - `http://*.dl.delivery.mp.microsoft.com` + + Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + + - `http://*.windowsupdate.com` + - `https://*.delivery.mp.microsoft.com` + - `https://*.update.microsoft.com` + - `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + + For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + + - question: How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + answer: | + Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + + > [!NOTE] + > If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. + From 79fd24833da09dc0a528b0761fda5e98dc1db312 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 05:43:38 +0530 Subject: [PATCH 30/77] Updated-6247330 File path updated. --- .../deployment/{update => do}/waas-delivery-optimization-faq.yml | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename windows/deployment/{update => do}/waas-delivery-optimization-faq.yml (100%) diff --git a/windows/deployment/update/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml similarity index 100% rename from windows/deployment/update/waas-delivery-optimization-faq.yml rename to windows/deployment/do/waas-delivery-optimization-faq.yml From c31abe9f41b951afc2dc1995aabf55c657bb4242 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:01:01 +0530 Subject: [PATCH 31/77] Updated-6247330 Updated links to address PR Warnings. --- windows/deployment/do/TOC.yml | 2 +- windows/deployment/do/delivery-optimization-endpoints.md | 2 +- windows/deployment/do/index.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/TOC.yml b/windows/deployment/do/TOC.yml index 30533f66b8..72ef0f8a71 100644 --- a/windows/deployment/do/TOC.yml +++ b/windows/deployment/do/TOC.yml @@ -19,7 +19,7 @@ - name: Windows Delivery Optimization settings href: waas-delivery-optimization-setup.md#recommended-delivery-optimization-settings - name: Windows Delivery Optimization Frequently Asked Questions - href: ../update/waas-delivery-optimization-faq.md + href: ../do/waas-delivery-optimization-faq.yml - name: Configure Microsoft Endpoint Manager items: - name: Delivery Optimization settings in Microsoft Intune diff --git a/windows/deployment/do/delivery-optimization-endpoints.md b/windows/deployment/do/delivery-optimization-endpoints.md index da591eeadd..984e7fd026 100644 --- a/windows/deployment/do/delivery-optimization-endpoints.md +++ b/windows/deployment/do/delivery-optimization-endpoints.md @@ -33,5 +33,5 @@ This article lists the endpoints that need to be allowed through the firewall to | *.statics.teams.cdn.office.net | HTTP / 80
    HTTPs / 443 | Teams | | Microsoft Endpoint Configuration Manager Distribution Point | | *.assets1.xboxlive.com, *.assets2.xboxlive.com, *.dlassets.xboxlive.com, *.dlassets2.xboxlive.com, *.d1.xboxlive.com, *.d2.xboxlive.com, *.assets.xbox.com, *.xbl-dlassets-origin.xboxlive.com, *.assets-origin.xboxlive.com, *.xvcb1.xboxlive.com, *.xvcb2.xboxlive.com, *.xvcf1.xboxlive.com, *.xvcf2.xboxlive.com | HTTP / 80 | Xbox | | Microsoft Endpoint Configuration Manager Distribution Point | | *.tlu.dl.adu.microsoft.com, *.nlu.dl.adu.microsoft.com, *.dcsfe.prod.adu.microsoft.com | HTTP / 80 | Device Update | [Complete list](/azure/iot-hub-device-update/) of endpoints for Device Update updates. | Microsoft Endpoint Configuration Manager Distribution Point | -| *.do.dsp.mp.microsoft.com | HTTP / 80
    HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../update/waas-delivery-optimization-faq.md#what-hostnames-should-i-allow-through-my-firewall-to-support-delivery-optimization) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | +| *.do.dsp.mp.microsoft.com | HTTP / 80
    HTTPs / 443 | Microsoft Connected Cache -> Delivery Optimization Services communication | [Complete list](../do/waas-delivery-optimization-faq.yml) of endpoints for Delivery Optimization only. | Microsoft Connected Cache Managed in Azure | | *.azure-devices.net, *.global.azure-devices-provisioning.net, *.azurecr.io, *.blob.core.windows.net, *.mcr.microsoft.com | AMQP / 5671
    MQTT / 8883
    HTTPs / 443 | IoT Edge / IoT Hub communication| [Complete list](/azure/iot-hub/iot-hub-devguide-protocols) of Azure IoT Hub communication protocols and ports. [Azure IoT Guide](/azure/iot-hub/iot-hub-devguide-endpoints) to understanding Azure IoT Hub endpoints. | Microsoft Connected Cache Managed in Azure | diff --git a/windows/deployment/do/index.yml b/windows/deployment/do/index.yml index a2db6aedca..85d6ee2703 100644 --- a/windows/deployment/do/index.yml +++ b/windows/deployment/do/index.yml @@ -49,7 +49,7 @@ landingContent: - text: Troubleshoot Delivery Optimization url: waas-delivery-optimization-setup.md#troubleshooting - text: Delivery Optimization Frequently Asked Questions - url: ../update/waas-delivery-optimization-faq.md + url: ../do/waas-delivery-optimization-faq.yml - text: Submit feedback url: https://support.microsoft.com/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332 From e0a893a2d91929c1107e89b73a5b5e71c9bfc231 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Thu, 4 Aug 2022 06:14:25 +0530 Subject: [PATCH 32/77] Updated-6247330 Indentation changes made to separate sentences in the paragraph. --- windows/deployment/do/waas-delivery-optimization-faq.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/windows/deployment/do/waas-delivery-optimization-faq.yml b/windows/deployment/do/waas-delivery-optimization-faq.yml index 956bf2799c..0fe613a87a 100644 --- a/windows/deployment/do/waas-delivery-optimization-faq.yml +++ b/windows/deployment/do/waas-delivery-optimization-faq.yml @@ -33,11 +33,12 @@ sections: answer: Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - question: Which ports does Delivery Optimization use? - answer: Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + answer: | + Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - question: What are the requirements if I use a proxy? answer: For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). @@ -62,6 +63,8 @@ sections: - `win1910.ipv6.microsoft.com` + For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + - question: Does Delivery Optimization use multicast? answer: No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. From 076f9e4d8db25a7ef6b548af0e9564185c2d4733 Mon Sep 17 00:00:00 2001 From: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Date: Thu, 4 Aug 2022 08:22:57 -0400 Subject: [PATCH 33/77] Removed latest what's new due to bug modified: education/windows/set-up-school-pcs-whats-new.md --- .../windows/set-up-school-pcs-whats-new.md | 29 +++++-------------- 1 file changed, 7 insertions(+), 22 deletions(-) diff --git a/education/windows/set-up-school-pcs-whats-new.md b/education/windows/set-up-school-pcs-whats-new.md index 1b582619a9..a22f1755e4 100644 --- a/education/windows/set-up-school-pcs-whats-new.md +++ b/education/windows/set-up-school-pcs-whats-new.md @@ -9,22 +9,13 @@ ms.pagetype: edu ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 08/31/2020 -ms.reviewer: +ms.date: 08/04/2022 +ms.reviewer: paoloma manager: dansimp --- # What's new in Set up School PCs -Learn what’s new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases. - -## Week of July 25, 2022 - -### Reimage option for Windows 11 SE -Set up School PCs has added an option to reimage your Windows SE devices during the creation of a provisioning package. Previously, the process to reimage a device was specific to the OEM and required technical knowledge. The new reimaging feature in SUSPCs provides a unified way for all OEMs, using a simple and easy solution. Now you can plug in your USB stick with a Windows 11 SE image and a provisioning package on it, and your device will be reimaged before the provisioning package is installed on that device. - -Note: If after you have reimaged the device, you notice there are missing drivers, the IT admin should manually add those drivers to the image. The SUSPC reimaging tool has been tested on Surface SE devices, but since there are a variety of SE devices, the SUSPC reimage tool has not been tested on all SE devices. Contact your OEM to learn more about the necessary drivers. - -The option to reimage by getting the image from an OEM is still viable. +Learn what's new with the Set up School PCs app each week. Find out about new app features and functionality, see updated screenshots, and find information about past releases. ## Week of August 24, 2020 @@ -34,8 +25,7 @@ You can now give devices running Windows 10, version 2004 and later a name that' ## Week of September 23, 2019 ### Easier way to deploy Office 365 to your classroom devices - Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. - + Microsoft Office now appears as an option on the **Apps** screen. Select the app to add it to your provisioning package. Devices install Microsoft 365 Apps for enterprise. This version includes the cloud-connected and most current versions of apps such as Word, PowerPoint, Excel, and Teams. ## Week of June 24, 2019 @@ -108,15 +98,10 @@ The Skype and Messaging apps are part of a selection of apps that are, by defaul ## Next steps -Learn how to create provisioning packages and set up devices in the app. +Learn how to create provisioning packages and set up devices in the app. * [What's in my provisioning package?](set-up-school-pcs-provisioning-package.md) * [Shared PC mode for schools](set-up-school-pcs-shared-pc-mode.md) * [Set up School PCs technical reference](set-up-school-pcs-technical.md) -* [Set up Windows 10 devices for education](set-up-windows-10.md) - -When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). - - - - +* [Set up Windows 10 devices for education](set-up-windows-10.md) +When you're ready to create and apply your provisioning package, see [Use Set up School PCs app](use-set-up-school-pcs-app.md). \ No newline at end of file From f282e2e388d3e65e9b170a3f4f9938176edce166 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Tue, 26 Apr 2022 12:02:41 +0530 Subject: [PATCH 34/77] Acrolinx enhancement --- .../client-management/windows-libraries.md | 32 ++++++------- .../windows-version-search.md | 9 ++-- ...changes-to-start-policies-in-windows-10.md | 30 ++++++------ .../configure-windows-10-taskbar.md | 22 +++++---- .../cortana-at-work/cortana-at-work-crm.md | 2 +- .../cortana-at-work-feedback.md | 4 +- .../cortana-at-work/cortana-at-work-o365.md | 4 +- .../cortana-at-work-overview.md | 16 +++---- .../cortana-at-work-scenario-2.md | 2 +- .../cortana-at-work-scenario-4.md | 2 +- .../cortana-at-work-scenario-6.md | 2 +- .../cortana-at-work-scenario-7.md | 2 +- .../cortana-at-work-voice-commands.md | 4 +- .../set-up-and-test-cortana-in-windows-10.md | 12 ++--- .../cortana-at-work/test-scenario-6.md | 2 +- ...ation-user-model-id-of-an-installed-app.md | 2 +- .../guidelines-for-assigned-access-app.md | 46 ++++++++----------- windows/configuration/index.yml | 2 +- windows/configuration/kiosk-methods.md | 2 +- windows/configuration/kiosk-policies.md | 6 +-- 20 files changed, 102 insertions(+), 101 deletions(-) diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md index 16ef254939..ffa5ea88a4 100644 --- a/windows/client-management/windows-libraries.md +++ b/windows/client-management/windows-libraries.md @@ -29,21 +29,21 @@ Windows libraries are backed by full content search and rich metadata. Libraries ## Features for Administrators -Administrators can configure and control Windows libraries in the following ways: +Administrators can configure and control Windows libraries in the following methods: - Create custom libraries by creating and deploying Library Description (*.library-ms) files. -- Hide or delete the default libraries. (The Library node itself cannot be hidden or deleted from the Windows Explorer navigation pane.) +- Hide or delete the default libraries. (The Library node itself can't be hidden or deleted from the Windows Explorer navigation pane.) - Specify a set of libraries available to Default User, and then deploy those libraries to users that derive from Default User. - Specify locations to include in a library. - Remove a default location from a library. -- Remove advanced libraries features, when the environment does not support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. +- Remove advanced libraries features, when the environment doesn't support the local caching of files, by using the [Turn off Windows Libraries features that rely on indexed file data](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) Group Policy. This method makes all libraries basic (see [Indexing Requirements and Basic Libraries](/previous-versions/windows/it-pro/windows-7/dd744693(v=ws.10)#WS_IndexingReqs_BasicLibraries)), removes libraries from the scope of the Start menu search, and removes other features to avoid confusing users and consuming resources. ## More about Libraries -The following is important information about libraries you may need to understand to successfully manage your enterprise. +The following information is important in the context of libraries you may need to understand to successfully manage your enterprise. ### Library Contents -Including a folder in a library does not physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. +Including a folder in a library doesn't physically move or change the storage location of the files or folders; the library is a view into those folders. However, users interacting with files in a library are copying, moving, and deleting the files themselves, not copies of these files. ### Default Libraries and Known Folders @@ -57,35 +57,35 @@ Libraries are built upon the legacy known folders (such as My Documents, My Pict ### Hiding Default Libraries -Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane cannot be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they do not exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. +Users or administrators can hide or delete the default libraries, though the libraries node in the Navigation pane can't be hidden or deleted. Hiding a default library is preferable to deleting it, as applications like Windows Media Player rely on the default libraries and will re-create them if they don't exist on the computer. See [How to Hide Default Libraries](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_HideDefaultLibraries) for instructions. ### Default Save Locations for Libraries Each library has a default save location. Files are saved or copied to this location if the user chooses to save or copy a file to a library, rather than a specific location within the library. Known folders are the default save locations; however, users can select a different save location. -If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations cannot be saved to, then the save operation fails. +If the user removes the default save location from a library, the next location is automatically selected as the new default save location. If the library is empty of locations or if all included locations can't be saved to, then the save operation fails. ### Indexing Requirements and “Basic” Libraries -Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing is not enabled for one or more locations within a library, the entire library reverts to basic functionality: +Certain library features depend on the contents of the libraries being indexed. Library locations must be available for local indexing or be indexed in a manner conforming to the Windows Indexing Protocol. If indexing isn't enabled for one or more locations within a library, the entire library reverts to basic functionality: - No support for metadata browsing via **Arrange By** views. - Grep-only searches. - Grep-only search suggestions. The only properties available for input suggestions are **Date Modified** and **Size**. -- No support for searching from the Start menu. Start menu searches do not return files from basic libraries. +- No support for searching from the Start menu. Start menu searches don't return files from basic libraries. - No previews of file snippets for search results returned in Content mode. -To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that are not indexed remotely can be added to the local index using Offline File synchronization. This gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations which are not indexed remotely and are not using folder redirection to gain the benefits of being indexed locally. +To avoid this limited functionality, all locations within the library must be indexable, either locally or remotely. When users add local folders to libraries, Windows adds the location to the indexing scope and indexes the contents. Remote locations that aren't indexed remotely can be added to the local index using Offline File synchronization. This feature gives the user the benefits of local storage even though the location is remote. Making a folder “Always available offline” creates a local copy of the folder’s files, adds those files to the index, and keeps the local and remote copies in sync. Users can manually sync locations that aren't indexed remotely and aren't using folder redirection to gain the benefits of being indexed locally. For instructions on enabling indexing, see [How to Enable Indexing of Library Locations](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)#BKMK_EnableIndexLocations). -If your environment does not support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This makes all libraries basic. For further information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)). +If your environment doesn't support caching files locally, you should enable the [Turn off Windows Libraries features that rely on indexed file](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)#WS_TurnOffWindowsLibraries) data Group Policy. This enablement makes all libraries basic. For more information, see [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)). ### Folder Redirection -While library files themselves cannot be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. +While library files themselves can't be redirected, you can redirect known folders included in libraries by using [Folder Redirection](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh848267(v=ws.11)). For example, you can redirect the “My Documents” folder, which is included in the default Documents library. When redirecting known folders, you should make sure that the destination is either indexed or always available offline in order to maintain full library functionality. In both cases, the files for the destination folder are indexed and supported in libraries. These settings are configured on the server side. ### Supported storage locations -The following table show which locations are supported in Windows libraries. +The following table shows which locations are supported in Windows libraries. |Supported Locations|Unsupported Locations| |---|---| @@ -98,8 +98,8 @@ The following table show which locations are supported in Windows libraries. - Expected maximum load is four concurrent query requests. - Expected indexing corpus is a maximum of one million documents. -- Users directly access the server. That is, the server is not made available through DFS Namespaces. -- Users are not redirected to another server in case of failure. That is, server clusters are not used. +- Users directly access the server. That is, the server isn't made available through DFS Namespaces. +- Users aren't redirected to another server if there's a failure. That is, server clusters aren't used. ### Library Attributes @@ -122,7 +122,7 @@ See the [Library Description Schema](/windows/win32/shell/library-schema-entry) - [Federated Search Features](/previous-versions/windows/it-pro/windows-7/dd744682(v=ws.10)) - [Administrative How-to Guides](/previous-versions/windows/it-pro/windows-7/ee461108(v=ws.10)) - [Group Policy for Windows Search, Browse, and Organize](/previous-versions/windows/it-pro/windows-7/dd744697(v=ws.10)) -- [Additional Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10)) +- [More Resources for Windows Search, Browse, and Organization](/previous-versions/windows/it-pro/windows-7/dd744695(v=ws.10)) ### Other resources diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md index 462b458840..ee3d39847a 100644 --- a/windows/client-management/windows-version-search.md +++ b/windows/client-management/windows-version-search.md @@ -1,7 +1,10 @@ --- title: What version of Windows am I running? -description: Discover which version of Windows you are running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +description: Discover which version of Windows you're running to determine whether or not your device is enrolled in the Long-Term Servicing Channel or General Availability Channel. +keywords: Long-Term Servicing Channel, LTSC, LTSB, General Availability Channel, GAC, Windows, version, OS Build ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library author: dansimp ms.author: dansimp ms.date: 04/30/2018 @@ -12,7 +15,7 @@ ms.topic: troubleshooting # What version of Windows am I running? -To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (GA Channel) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. +To determine if your device is enrolled in the [Long-Term Servicing Channel](/windows/deployment/update/waas-overview#servicing-channels) (LTSC, formerly LTSB) or the [General Availability Channel](/windows/deployment/update/waas-overview#servicing-channels) (SAC) you'll need to know what version of Windows 10 you're running. There are a few ways to figure this out. Each method provides a different set of details, so it’s useful to learn about all of them. ## System Properties Click **Start** > **Settings** > **System** > click **About** from the bottom of the left-hand menu @@ -22,7 +25,7 @@ You'll now see **Edition**, **Version**, and **OS Build** information. Something ![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png) ## Using Keyword Search -You can simply type the following in the search bar and press **ENTER** to see version details for your device. +You can type the following in the search bar and press **ENTER** to see version details for your device. **“winver”** diff --git a/windows/configuration/changes-to-start-policies-in-windows-10.md b/windows/configuration/changes-to-start-policies-in-windows-10.md index aa66136bfb..eb7ef825c6 100644 --- a/windows/configuration/changes-to-start-policies-in-windows-10.md +++ b/windows/configuration/changes-to-start-policies-in-windows-10.md @@ -28,27 +28,27 @@ These policy settings are available in **Administrative Templates\\Start Menu an |Policy|Notes| |--- |--- | |Clear history of recently opened documents on exit|Documents that the user opens are tracked during the session. When the user signs off, the history of opened documents is deleted.| -|Do not allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.| -|Do not display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.| -|Do not keep history of recently opened documents|Documents that the user opens are not tracked during the session.| -|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this disables all of the settings in **Settings** > **Personalization** > **Start** as well as the options in dialog available via right-click Taskbar > **Properties**| +|Don't allow pinning items in Jump Lists|Jump Lists are lists of recently opened items, such as files, folders, or websites, organized by the program that you use to open them. This policy prevents users from pinning items to any Jump List.| +|Don't display or track items in Jump Lists from remote locations|When this policy is applied, only items local on the computer are shown in Jump Lists.| +|Don't keep history of recently opened documents|Documents that the user opens aren't tracked during the session.| +|Prevent changes to Taskbar and Start Menu Settings|In Windows 10, this policy disables all of the settings in **Settings** > **Personalization** > **Start** and the options in dialog available via right-click Taskbar > **Properties**| |Prevent users from customizing their Start Screen|Use this policy in conjunction with a [customized Start layout](windows-10-start-layout-options-and-policies.md) to prevent users from changing it| -|Prevent users from uninstalling applications from Start|In Windows 10, this removes the uninstall button in the context menu. It does not prevent users from uninstalling the app through other entry points (e.g. PowerShell)| -|Remove All Programs list from the Start menu|In Windows 10, this removes the **All apps** button.| -|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.| -|Remove common program groups from Start Menu|As in earlier versions of Windows, this removes apps specified in the All Users profile from Start| -|Remove frequent programs list from the Start Menu|In Windows 10, this removes the top left **Most used** group of apps.| +|Prevent users from uninstalling applications from Start|In Windows 10, this policy removes the uninstall button in the context menu. It doesn't prevent users from uninstalling the app through other entry points (for example, PowerShell)| +|Remove All Programs list from the Start menu|In Windows 10, this policy removes the **All apps** button.| +|Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands|This policy removes the Shut Down, Restart, Sleep, and Hibernate commands from the Start Menu, Start Menu power button, CTRL+ALT+DEL screen, and Alt+F4 Shut Down Windows menu.| +|Remove common program groups from Start Menu|As in earlier versions of Windows, this policy removes apps specified in the All Users profile from Start| +|Remove frequent programs list from the Start Menu|In Windows 10, this policy removes the top left **Most used** group of apps.| |Remove Logoff on the Start Menu|**Logoff** has been changed to **Sign Out** in the user interface, however the functionality is the same.| -|Remove pinned programs list from the Start Menu|In Windows 10, this removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| -|Show "Run as different user" command on Start|This enables the **Run as different user** option in the right-click menu for apps.| -|Start Layout|This applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.| -|Force Start to be either full screen size or menu size|This applies a specific size for Start.| +|Remove pinned programs list from the Start Menu|In Windows 10, this policy removes the bottom left group of apps (by default, only File Explorer and Settings are pinned).| +|Show "Run as different user" command on Start|This policy enables the **Run as different user** option in the right-click menu for apps.| +|Start Layout|This policy applies a specific Start layout, and it also prevents users from changing the layout. This policy can be configured in **User Configuration** or **Computer Configuration**.| +|Force Start to be either full screen size or menu size|This policy applies a specific size for Start.| ## Deprecated Group Policy settings for Start -The Start policy settings listed below do not work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting will not work on Windows 10. The “Supported on” text for a policy setting will not list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. +The Start policy settings listed below don't work on Windows 10. Most of them were deprecated in Windows 8 however a few more were deprecated in Windows 10. Deprecation in this case means that the policy setting won't work on Windows 10. The “Supported on” text for a policy setting won't list Windows 10. The policy settings are still in the Group Policy Management Console and can be used on the operating systems that they apply to. | Policy | When deprecated | |----------------------------------------------------------------------------------|-----------------| @@ -90,7 +90,7 @@ The Start policy settings listed below do not work on Windows 10. Most of them - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md index bf089eb4ba..e5de9e2f90 100644 --- a/windows/configuration/configure-windows-10-taskbar.md +++ b/windows/configuration/configure-windows-10-taskbar.md @@ -1,7 +1,10 @@ --- title: Configure Windows 10 taskbar (Windows 10) -description: Administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +description: Administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a section to a layout modification XML file. +keywords: ["taskbar layout","pin apps"] ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library author: aczechowski ms.author: aaroncz ms.topic: article @@ -11,17 +14,16 @@ ms.reviewer: manager: dougeby ms.collection: highpri --- - # Configure Windows 10 taskbar -Starting in Windows 10, version 1607, administrators can pin additional apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. +Starting in Windows 10, version 1607, administrators can pin more apps to the taskbar and remove default pinned apps from the taskbar by adding a `` section to a layout modification XML file. This method never removes user-pinned apps from the taskbar. > [!NOTE] > The only aspect of the taskbar that can currently be configured by the layout modification XML file is the layout. -You can specify different taskbar configurations based on device locale and region. There is no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). +You can specify different taskbar configurations based on device locale and region. There's no limit on the number of apps that you can pin. You specify apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the application). -If you specify an app to be pinned that is not provisioned for the user on the computer, the pinned icon won't appear on the taskbar. +If you specify an app to be pinned that isn't provisioned for the user on the computer, the pinned icon won't appear on the taskbar. The order of apps in the XML file dictates the order of pinned apps on the taskbar from left to right, to the right of any existing apps pinned by the user. @@ -38,8 +40,8 @@ The following example shows how apps will be pinned: Windows default apps to the **To configure the taskbar:** 1. Create the XML file. - * If you are also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. - * If you are only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. + * If you're also [customizing the Start layout](customize-and-export-start-layout.md), use `Export-StartLayout` to create the XML, and then add the `` section from [the following sample](#sample-taskbar-configuration-added-to-start-layout-xml-file) to the file. + * If you're only configuring the taskbar, use [the following sample](#sample-taskbar-configuration-xml-file) to create a layout modification XML file. 2. Edit and save the XML file. You can use [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path to identify the apps to pin to the taskbar. * Add `xmlns:taskbar="http://schemas.microsoft.com/Start/2014/TaskbarLayout"` to the first line of the file, before the closing \>. * Use `` and [AUMID](./find-the-application-user-model-id-of-an-installed-app.md) to pin Universal Windows Platform apps. @@ -53,7 +55,7 @@ The following example shows how apps will be pinned: Windows default apps to the ### Tips for finding AUMID and Desktop Application Link Path -In the layout modification XML file, you will need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. +In the layout modification XML file, you'll need to add entries for applications in the XML markup. In order to pin an application, you need either its AUMID or Desktop Application Link Path. The easiest way to find this data for an application is to: 1. Pin the application to the Start menu on a reference or testing PC. @@ -205,7 +207,7 @@ By adding `PinListPlacement="Replace"` to ``, you ## Configure taskbar by country or region -The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there is no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. +The following example shows you how to configure taskbars by country or region. When the layout is applied to a computer, if there's no `` node with a region tag for the current region, the first `` node that has no specified region will be applied. When you specify one or more countries or regions in a `` node, the specified apps are pinned on computers configured for any of the specified countries or regions. ```xml @@ -324,5 +326,5 @@ The resulting taskbar for computers in any other country region: - [Start layout XML for desktop editions of Windows 10 (reference)](start-layout-xml-desktop.md) - [Customize Windows 10 Start and taskbar with Group Policy](customize-windows-10-start-screens-by-using-group-policy.md) - [Customize Windows 10 Start and taskbar with provisioning packages](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) -- [Customize Windows 10 Start and tasbkar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) +- [Customize Windows 10 Start and taskbar with mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md) - [Changes to Start policies in Windows 10](changes-to-start-policies-in-windows-10.md) diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md index e82f329a86..3790905b51 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md @@ -12,7 +12,7 @@ manager: dougeby # Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization -Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant info at any given time. This can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. +Cortana integration is a Preview feature that's available for your test or dev environment, starting with the CRM Online 2016 Update. If you decide to use this Preview feature, you'll need to turn in on and accept the license terms. After that, your salespeople will get proactive insights from Cortana on important CRM activities, including sales leads, accounts, and opportunities; presenting the most relevant information at any given time. This information can even include getting company-specific news that surfaces when the person is meeting with a representative from another company. >[!NOTE] >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md index a342f659be..0f3bf0b348 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-feedback.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-feedback.md @@ -12,11 +12,11 @@ manager: dougeby # Send feedback about Cortana back to Microsoft -To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. This opens the Feedback Hub application where you can provide more information to help diagnose reported issues. +To provide feedback on an individual request or response, select the item in the conversation history and then select **Give feedback**. The Feedback Hub application is launched, where you can provide more information to help diagnose reported issues. :::image type="content" source="../screenshot1.png" alt-text="Screenshot: Send feedback page"::: -To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. This opens the Feedback Hub where more information on the issue can be provided. +To provide feedback about the application in general, go to the **Settings** menu by selecting the three dots in the top left of the application, and select **Feedback**. The Feedback Hub is launched, where more information on the issue can be provided. :::image type="content" source="../screenshot12.png" alt-text="Screenshot: Select Feedback to go to the Feedback Hub"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-o365.md b/windows/configuration/cortana-at-work/cortana-at-work-o365.md index 633b1edf0b..1d18b8d49d 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-o365.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-o365.md @@ -2,6 +2,8 @@ title: Set up and test Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization description: Learn how to connect Cortana to Office 365 so employees are notified about regular meetings and unusual events. You can even set an alarm for early meetings. ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz @@ -27,7 +29,7 @@ There are a few things to be aware of before you start using Cortana in Windows - **Office 365 Trust Center.** Cortana in Windows 10, version 1909 and earlier, isn't a service governed by the [Online Services Terms](https://www.microsoft.com/en-us/licensing/product-licensing/products). [Learn more about how Cortana in Windows 10, versions 1909 and earlier, treats your data](https://support.microsoft.com/en-us/help/4468233/cortana-and-privacy-microsoft-privacy). -- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use Windows Information Protection, you must also have a management solution. This can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide 3rd party mobile device management (MDM) solution. +- Windows Information Protection (WIP). If you want to secure the calendar, email, and contact info provided to Cortana on a device, you can use WIP. For more info about WIP, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). If you decide to use WIP, you must also have a management solution. This solution can be Microsoft Intune, Microsoft Endpoint Manager (version 1606 or later), or your current company-wide third-party mobile device management (MDM) solution. - **Troubleshooting tips.** If you run into issues, check out these [troubleshooting tips](/office365/troubleshoot/miscellaneous/issues-in-cortana). diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md index 88b9b1e042..81cc7d9dff 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md @@ -25,7 +25,7 @@ The Cortana app in Windows 10, version 2004 requires the latest Microsoft Store ## Required hardware and software -Cortana requires a PC running Windows 10, version 1703 or later, as well as the following software to successfully run the included scenario in your organization. +Cortana requires a PC running Windows 10, version 1703 or later, and the following software to successfully run the included scenario in your organization. >[!NOTE] >A microphone isn't required to use Cortana. @@ -34,14 +34,14 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the |---------|---------| |Client operating system | - Windows 10, version 2004 (recommended)

    - Windows 10, version 1703 (legacy version of Cortana)

    For more information on the differences between Cortana in Windows 10, version 2004 and earlier versions, see [**How is my data processed by Cortana**](#how-is-my-data-processed-by-cortana) below. | |Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. | -|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | +|Additional policies (Group Policy and Mobile Device Management (MDM)) |There's a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn off Cortana. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. | >[!NOTE] >For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana. ## Signing in using Azure AD -Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/) +Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but won't be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/) ## How is my data processed by Cortana? @@ -58,11 +58,11 @@ The table below describes the data handling for Cortana enterprise services. | Name | Description | |---------|---------| -|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio is not retained. | +|**Storage** |Customer Data is stored on Microsoft servers inside the Office 365 cloud. Your data is part of your tenant. Speech audio isn't retained. | |**Stays in Geo** |Customer Data is stored on Microsoft servers inside the Office 365 cloud in Geo. Your data is part of your tenant. | -|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio is not retained. | +|**Retention** |Customer Data is deleted when the account is closed by the tenant administrator or when a GDPR Data Subject Rights deletion request is made. Speech audio isn't retained. | |**Processing and confidentiality** |Personnel engaged in the processing of Customer Data and personal data (i) will process such data only on instructions from Customer, and (ii) will be obligated to maintain the confidentiality and security of such data even after their engagement ends. | -|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data is not used to target advertising. | +|**Usage** |Microsoft uses Customer Data only to provide the services agreed upon, and for purposes that are compatible with those services. Machine learning to develop and improve models is one of those purposes. Machine learning is done inside the Office 365 cloud consistent with the Online Services Terms. Your data isn't used to target advertising. | #### How does the wake word (Cortana) work? If I enable it, is Cortana always listening? @@ -73,11 +73,11 @@ Cortana only begins listening for commands or queries when the wake word is dete First, the user must enable the wake word from within Cortana settings. Once it has been enabled, a component of Windows called the [Windows Multiple Voice Assistant platform](/windows-hardware/drivers/audio/voice-activation-mva#voice-activation) will start listening for the wake word. No audio is processed by speech recognition unless two local wake word detectors and a server-side one agree with high confidence that the wake word was heard. -The first decision is made by the Windows Multiple Voice Assistant platform leveraging hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. +The first decision is made by the Windows Multiple Voice Assistant platform using hardware optionally included in the user's PC for power savings. If the wake word is detected, Windows will show a microphone icon in the system tray indicating an assistant app is listening. :::image type="content" source="./images/screenshot2.png" alt-text="Screenshot: Microphone icon in the system tray indicating an assistant app is listening"::: -At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service does not confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. +At that point, the Cortana app will receive the audio, run a second, more accurate wake word detector, and optionally send it to a Microsoft cloud service where a third wake word detector will confirm. If the service doesn't confirm that the activation was valid, the audio will be discarded and deleted from any further processing or server logs. On the user's PC, the Cortana app will be silently dismissed, and no query will be shown in conversation history because the query was discarded. If all three wake word detectors agree, the Cortana canvas will show what speech has been recognized. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md index 4c019223d3..32d197bae2 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md @@ -1,6 +1,6 @@ --- title: Perform a quick search with Cortana at work (Windows) -description: This is a test scenario about how to perform a quick search with Cortana at work. +description: This scenario is a test scenario about how to perform a quick search with Cortana at work. ms.prod: w10 author: aczechowski ms.localizationpriority: medium diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md index 6a45297397..582e780d1f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md @@ -20,6 +20,6 @@ This scenario helps you find out if a time slot is free on your calendar. 3. Type **Am I free at 3 PM tomorrow?** -Cortana will respond with your availability for that time, as well as nearby meetings. +Cortana will respond with your availability for that time, and nearby meetings. :::image type="content" source="../screenshot8.png" alt-text="Screenshot: Cortana showing free time on a calendar"::: diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md index b05c1179dc..dcc810fb0f 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md @@ -16,7 +16,7 @@ Cortana can help employees in regions outside the US search for quick answers li 1. Select the **Cortana** icon in the taskbar. -2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You will be prompted to restart the app. +2. Select the **…** menu, then select **Settings**, **Language**, then select **Español (España)**. You'll be prompted to restart the app. 3. Once the app has restarted, type or say **Convierte 100 Euros a Dólares**. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md index ed2e51d53c..942d908f2b 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md @@ -19,7 +19,7 @@ This optional scenario helps you to protect your organization’s data on a devi ## Use Cortana and WIP to protect your organization’s data -1. Create and deploy an WIP policy to your organization. For info about how to do this, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). +1. Create and deploy a WIP policy to your organization. For information about how to do this step, see [Protect your enterprise data using Windows Information Protection (WIP)](/windows/threat-protection/windows-information-protection/protect-enterprise-data-using-wip). 2. Create a new email from a non-protected or personal mailbox, including the text _I’ll send you that presentation tomorrow_. diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md index fb38e50ec2..d38268d716 100644 --- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md +++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md @@ -18,7 +18,7 @@ manager: dougeby Working with a developer, you can create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps. These voice-enabled actions can reduce the time necessary to access your apps and to complete simple actions. ## High-level process -Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be very simple to very complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. +Cortana uses a Voice Command Definition (VCD) file, aimed at an installed app, to define the actions that are to happen during certain vocal commands. A VCD file can be simple to complex, supporting anything from a single sound to a collection of more flexible, natural language sounds, all with the same intent. To enable voice commands in Cortana @@ -33,7 +33,7 @@ To enable voice commands in Cortana 2. **Install the VCD file on employees' devices**. You can use Microsoft Endpoint Manager or Microsoft Intune to deploy and install the VCD file on your employees' devices, the same way you deploy and install any other package in your organization. ## Test scenario: Use voice commands in a Microsoft Store app -While these aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. +While these apps aren't line-of-business apps, we've worked to make sure to implement a VCD file, allowing you to test how the functionality works with Cortana in your organization. **To get a Microsoft Store app** 1. Go to the Microsoft Store, scroll down to the **Collections** area, click **Show All**, and then click **Better with Cortana**. diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md index b2a351551c..2a50408b60 100644 --- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md +++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md @@ -13,8 +13,8 @@ ms.author: aaroncz ## Before you begin -- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11. -- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). +- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you'll need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11. +- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you'll need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md). ## Set up and configure the Bing Answers feature Bing Answers provides fast, authoritative results to search queries based on search terms. When the Bing Answers feature is enabled, users will be able to ask Cortana web-related questions in the Cortana in Windows app, such as "What's the current weather?" or "Who is the president of the U.S.?," and get a response, based on public results from Bing.com. @@ -25,7 +25,7 @@ The above experience is powered by Microsoft Bing, and Cortana sends the user qu Admins can configure the Cortana in Windows Bing Answers feature for their organizations. As the admin, use the following steps to change the setting for Bing Answers at the tenant/security group level. This setting is enabled by default, so that all users who have Cortana enabled will be able to receive Bing Answers. By default, the Bing Answer feature will be available to your users. -Users cannot enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. +Users can't enable or disable the Bing Answer feature individually. So, if you disable this feature at the tenant/security group level, no users in your organization or specific security group will be able to use Bing Answers in Cortana in Windows. Sign in to the [Office Configuration Admin tool](https://config.office.com/). @@ -35,13 +35,13 @@ Follow the steps [here](/deployoffice/overview-office-cloud-policy-service#steps ## How does Microsoft handle customer data for Bing Answers? -When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following: +When a user enters a search query (by speech or text), Cortana evaluates if the request is for any of our first-party compliant skills if enabled in a specific market, and does the following actions: 1. If it is for any of the first-party compliant skills, the query is sent to that skill, and results/action are returned. -2. If it is not for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. +2. If it isn't for any of the first-party compliant skills, the query is sent to Bing for a search of public results from Bing.com. Because enterprise searches might be sensitive, similar to [Microsoft Search in Bing](/MicrosoftSearch/security-for-search#microsoft-search-in-bing-protects-workplace-searches), Bing Answers in Cortana has implemented a set of trust measures, described below, that govern how the separate search of public results from Bing.com is handled. The Bing Answers in Cortana trust measures are consistent with the enhanced privacy and security measures described in [Microsoft Search in Bing](/MicrosoftSearch/security-for-search). All Bing.com search logs that pertain to Cortana traffic are disassociated from users' workplace identity. All Cortana queries issued via a work or school account are stored separately from public, non-Cortana traffic. -Bing Answers is enabled by default for all users. However, admins can configure and change this for specific users and user groups in their organization. +Bing Answers is enabled by default for all users. However, admins can configure and change this setting for specific users and user groups in their organization. ## How the Bing Answer policy configuration is applied Before a query is sent to Bing for a search of public results from Bing.com, the Bing Answers service checks with the Office Cloud Policy Service to see if there are any policy configurations that pertain to the user for allowing Bing Answers to respond to questions users ask Cortana. If the user is a member of an Azure Active Directory group that is assigned that policy configuration, then the appropriate policy settings are applied and a check is made again in 10 minutes. diff --git a/windows/configuration/cortana-at-work/test-scenario-6.md b/windows/configuration/cortana-at-work/test-scenario-6.md index eea07d4bbe..8a9d2fec64 100644 --- a/windows/configuration/cortana-at-work/test-scenario-6.md +++ b/windows/configuration/cortana-at-work/test-scenario-6.md @@ -15,7 +15,7 @@ manager: dougeby >[!Important] >The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering. For more info, see the [Microsoft Privacy Statement](https://privacy.microsoft.com/privacystatement) and the [Microsoft Services Agreement](https://www.microsoft.com/servicesagreement). -Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get this to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. +Cortana automatically finds patterns in your email, suggesting reminders based things that you said you would do so you don’t forget about them. For example, Cortana recognizes that if you include the text, I’ll get something to you by the end of the week in an email, you're making a commitment to provide something by a specific date. Cortana can now suggest that you be reminded about this event, letting you decide whether to keep it or to cancel it. >[!Important] >The Suggested reminders feature is currently only available in English (en-us). diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md index 05e5647ef7..6691dbace6 100644 --- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md +++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md @@ -97,7 +97,7 @@ function listAumids( $userAccount ) { } ``` -The following Windows PowerShell commands demonstrate how you can call the listAumids function after you have created it. +The following Windows PowerShell commands demonstrate how you can call the listAumids function after you've created it. ```powershell # Get a list of AUMIDs for the current account: diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index ce8ad34838..15ad98c12b 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -1,7 +1,10 @@ --- title: Guidelines for choosing an app for assigned access (Windows 10/11) description: The following guidelines may help you choose an appropriate Windows app for your assigned access experience. +keywords: ["kiosk", "lockdown", "assigned access"] ms.prod: w10 +ms.mktglfcycl: manage +ms.sitesec: library author: aczechowski ms.localizationpriority: medium ms.author: aaroncz @@ -28,9 +31,9 @@ The following guidelines may help you choose an appropriate Windows app for your - Windows apps must be provisioned or installed for the assigned access account before they can be selected as the assigned access app. [Learn how to provision and install apps](/windows/client-management/mdm/enterprise-app-management#install_your_apps). -- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. +- Updating a Windows app can sometimes change the Application User Model ID (AUMID) of the app. If this change happens, you must update the assigned access settings to launch the updated app, because assigned access uses the AUMID to determine which app to launch. -- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) cannot be used as kiosk apps. +- Apps that are generated using the [Desktop App Converter (Desktop Bridge)](/windows/uwp/porting/desktop-to-uwp-run-desktop-app-converter) can't be used as kiosk apps. @@ -43,16 +46,14 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t ## Guidelines for web browsers -In Windows 10, version 1909, assigned access adds support for the new Microsoft Edge kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/DeployEdge/microsoft-edge-configure-kiosk-mode). +Starting with Windows 10 version 1809+, Microsoft Edge includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode.](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) -In Windows 10, version 1809, Microsoft Edge Legacy includes support for kiosk mode. [Learn how to deploy Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy). - -In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. +In Windows client, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure more settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. >[!NOTE] >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs. > ->Kiosk Browser cannot access intranet websites. +>Kiosk Browser can't access intranet websites. **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education) and Windows 11. @@ -81,8 +82,7 @@ Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh stat > > 1. Create the provisioning package. When ready to export, close the project in Windows Configuration Designer. > 2. Open the customizations.xml file in the project folder (e.g C:\Users\name\Documents\Windows Imaging and Configuration Designer (WICD)\Project_18). -> 3. Insert the null character string in between each URL -(e.g `www.bing.com` and `www.contoso.com`). +> 3. Insert the null character string in between each URL (e.g www.bing.com``www.contoso.com). > 4. Save the XML file. > 5. Open the project again in Windows Configuration Designer. > 6. Export the package. Ensure you do not revisit the created policies under Kiosk Browser or else the null character will be removed. @@ -104,10 +104,10 @@ URLs can include: - The path to the resource. - Query parameters. -Additional guidelines for URLs: +More guidelines for URLs: - If a period precedes the host, the policy filters exact host matches only. -- You cannot use user:pass fields. +- You can't use user:pass fields. - When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence. - The policy searches wildcards (*) last. - The optional query is a set of key-value and key-only tokens delimited by '&'. @@ -120,8 +120,8 @@ The following table describes the results for different combinations of blocked Blocked URL rule | Block URL exception rule | Result --- | --- | --- -`*` | `contoso.com`
    `fabrikam.com` | All requests are blocked unless it is to `contoso.com, fabrikam.com,` or any of their subdomains. -`contoso.com` | `mail.contoso.com`
    `.contoso.com`
    `.www.contoso.com` | Block all requests to `contoso.com,` except for the main page and its mail subdomain. +`*` | `contoso.com`
    `fabrikam.com` | All requests are blocked unless it's to contoso.com, fabrikam.com, or any of their subdomains. +`contoso.com` | `mail.contoso.com`
    `.contoso.com`
    `.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain. `youtube.com` | `youtube.com/watch?v=v1`
    `youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2). The following table gives examples for blocked URLs. @@ -129,16 +129,16 @@ The following table gives examples for blocked URLs. | Entry | Result | |--------------------------|-------------------------------------------------------------------------------| -| `contoso.com` | Blocks all requests to contoso.com, `www.contoso.com,` and sub.www.contoso.com | +| `contoso.com` | Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com | | `https://*` | Blocks all HTTPS requests to any domain. | -| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to `www.contoso.com` or `contoso.com` | +| `mail.contoso.com` | Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com | | `.contoso.com` | Blocks contoso.com but not its subdomains, like subdomain.contoso.com. | -| `.www.contoso.com` | Blocks `www.contoso.com` but not its subdomains. | +| `.www.contoso.com` | Blocks www.contoso.com but not its subdomains. | | `*` | Blocks all requests except for URLs in the Blocked URL Exceptions list. | | `*:8080` | Blocks all requests to port 8080. | | `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | | `192.168.1.2` | Blocks requests to 192.168.1.2. | -| `youtube.com/watch?v=V1` | Blocks youtube video with id V1. | +| `youtube.com/watch?v=V1` | Blocks Youtube video with id V1. | ### Other browsers @@ -155,24 +155,18 @@ You can create your own web browser Windows app by using the WebView class. Lear Avoid selecting Windows apps that may expose the information you don’t want to show in your kiosk, since kiosk usually means anonymous access and locates in a public setting like a shopping mall. For example, an app that has a file picker allows the user to gain access to files and folders on the user's system, avoid selecting these types of apps if they provide unnecessary data access. -## Customize your breakout sequence - -Assigned access allows for the specification of a new breakout sequence. A breakout sequence is a keyboard shortcut that stops the kiosk experience and brings the user back to the lock screen. By default the breakout sequence is configured to be ctrl+alt+delete, a common Windows keyboard shortcut. It is recommended that this is set to a non-standard Windows shortcut to prevent disruptions in the kiosk experience. - -There is currently no user interface for customizing the breakout sequence in Windows settings, so it would need to be specified in a provisioning method where an XML format such as MDM is used. - ## App configuration -Some apps may require additional configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. +Some apps may require more configurations before they can be used appropriately in assigned access. For example, Microsoft OneNote requires you to set up a Microsoft account for the assigned access user account before OneNote will open in assigned access. Check the guidelines published by your selected app and set up accordingly. ## Develop your kiosk app -Assigned access in Windows client leverages the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. +Assigned access in Windows client uses the new lock framework. When an assigned access user signs in, the selected kiosk app is launched above the lock screen. The kiosk app is running as an above lock screen app. Follow the [best practices guidance for developing a kiosk app for assigned access](/windows-hardware/drivers/partnerapps/create-a-kiosk-app-for-assigned-access). ## Test your assigned access experience -The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. +The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you've selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience. diff --git a/windows/configuration/index.yml b/windows/configuration/index.yml index aa2502cdf2..be1a9d7a92 100644 --- a/windows/configuration/index.yml +++ b/windows/configuration/index.yml @@ -1,7 +1,7 @@ ### YamlMime:Landing title: Configure Windows client # < 60 chars -summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides a number of features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars +summary: Find out how to apply custom configurations to Windows 10 and Windows 11 devices. Windows 10 provides many features and methods to help you configure or lock down specific parts of Windows client. # < 160 chars metadata: title: Configure Windows client # Required; page title displayed in search results. Include the brand. < 60 chars. diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md index c444568fe9..b0fe2894f6 100644 --- a/windows/configuration/kiosk-methods.md +++ b/windows/configuration/kiosk-methods.md @@ -25,7 +25,7 @@ Some desktop devices in an enterprise serve a special purpose. For example, a PC - **A single-app kiosk**: Runs a single Universal Windows Platform (UWP) app in full screen above the lock screen. People using the kiosk can see only that app. When the kiosk account (a local standard user account) signs in, the kiosk app will launch automatically, and you can configure the kiosk account to sign in automatically as well. If the kiosk app is closed, it will automatically restart. - A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lock screen. + A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk doesn't run above the lock screen. ![Illustration of a full-screen kiosk experience that runs one app on a Windows client device.](images/kiosk-fullscreen.png) diff --git a/windows/configuration/kiosk-policies.md b/windows/configuration/kiosk-policies.md index 219db257fb..a531192fa3 100644 --- a/windows/configuration/kiosk-policies.md +++ b/windows/configuration/kiosk-policies.md @@ -20,14 +20,14 @@ ms.topic: article -It is not recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. +It isn't recommended to set policies enforced in assigned access kiosk mode to different values using other channels, as the kiosk mode has been optimized to provide a locked-down experience. When the assigned access kiosk configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device. ## Group Policy -The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. This includes local users, domain users, and Azure Active Directory users. +The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not. These users include local users, domain users, and Azure Active Directory users. | Setting | Value | | --- | --- | @@ -65,7 +65,7 @@ Prevent access to drives from My Computer | Enabled - Restrict all drivers ## MDM policy -Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide). +Some of the MDM policies based on the [Policy configuration service provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (that is, system-wide impact). Setting | Value | System-wide --- | --- | --- From e3d14bab9ff97b57054d2e9fd2df4c65e6dd1760 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:13:19 -0400 Subject: [PATCH 35/77] Convert index.md to yml --- windows/client-management/mdm/index.yml | 79 + .../mdm/{index.md => mdm-overview.md} | 20 +- windows/client-management/mdm/toc.yml | 1948 +++++++++-------- windows/security/index.yml | 2 +- 4 files changed, 1064 insertions(+), 985 deletions(-) create mode 100644 windows/client-management/mdm/index.yml rename windows/client-management/mdm/{index.md => mdm-overview.md} (95%) diff --git a/windows/client-management/mdm/index.yml b/windows/client-management/mdm/index.yml new file mode 100644 index 0000000000..93540583f5 --- /dev/null +++ b/windows/client-management/mdm/index.yml @@ -0,0 +1,79 @@ +### YamlMime:Landing + +title: Mobile Device Management # < 60 chars +summary: Find out how to enroll Windows devices and manage company security policies and business applications. # < 160 chars + +metadata: + title: Mobile Device Management # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find out how to enroll Windows devices and manage company security policies and business applications. # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required + services: windows-10 + ms.prod: windows + ms.collection: + - windows-10 + - highpri + ms.custom: intro-hub-or-landing + author: vinaypamnani-msft + ms.author: vinpa + manager: aaroncz + ms.date: 08/04/2022 + localization_priority: medium + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: + # Cards and links should be based on top customer tasks or top subjects + # Start card title with a verb + # Card (optional) + - title: Device enrollment + linkLists: + - linkListType: overview + links: + - text: Mobile device enrollment + url: mobile-device-enrollment.md + - linkListType: concept + links: + - text: Enroll Windows devices + url: mdm-enrollment-of-windows-devices.md + - text: Automatic enrollment using Azure AD + url: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - text: Automatic enrollment using Group Policy + url: enroll-a-windows-10-device-automatically-using-group-policy.md + - text: Bulk enrollment + url: bulk-enrollment-using-windows-provisioning-tool.md + + # Card (optional) + - title: Device management + linkLists: + - linkListType: overview + links: + - text: Enterprise settings, policies, and app management + url: windows-mdm-enterprise-settings.md + - linkListType: concept + links: + - text: Enterprise app management + url: enterprise-app-management.md + - text: Device updates management + url: device-update-management.md + - text: Secured-core PC configuration lock + url: config-lock.md + - text: Diagnose MDM failures + url: diagnose-mdm-failures-in-windows-10.md + + # Card (optional) + - title: CSP reference + linkLists: + - linkListType: overview + links: + - text: Configuration service provider reference + url: configuration-service-provider-reference.md + - linkListType: reference + links: + - text: Policy CSP + url: policy-configuration-service-provider.md + - text: Policy CSP - Update + url: policy-csp-update.md + - text: DynamicManagement CSP + url: dynamicmanagement-csp.md + - text: BitLocker CSP + url: bitlocker-csp.md diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/mdm-overview.md similarity index 95% rename from windows/client-management/mdm/index.md rename to windows/client-management/mdm/mdm-overview.md index 5bd11c744d..d0e376cd1f 100644 --- a/windows/client-management/mdm/index.md +++ b/windows/client-management/mdm/mdm-overview.md @@ -1,19 +1,18 @@ --- -title: Mobile device management +title: Mobile Device Management overview description: Windows 10 and Windows 11 provide an enterprise-level solution to mobile management, to help IT pros comply with security policies while avoiding compromise of user's privacy. -MS-HAID: -- 'p\_phDeviceMgmt.provisioning\_and\_device\_management' -- 'p\_phDeviceMgmt.mobile\_device\_management\_windows\_mdm' -ms.topic: overview -ms.prod: w10 +ms.date: 08/04/2022 ms.technology: windows -author: aczechowski -ms.author: aaroncz +ms.topic: article +ms.prod: w10 +ms.localizationpriority: medium +author: vinaypamnani-msft +ms.author: vinpa +manager: aaroncz ms.collection: highpri -ms.date: 06/03/2022 --- -# Mobile device management +# Mobile Device Management overview Windows 10 and Windows 11 provide an enterprise management solution to help IT pros manage company security policies and business applications, while avoiding compromise of the users' privacy on their personal devices. A built-in management component can communicate with the management server. @@ -43,7 +42,6 @@ For more information about the MDM policies defined in the MDM security baseline - [MDM Security baseline for Windows 10, version 2004](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/2004-MDM-SecurityBaseLine-Document.zip) - [MDM Security baseline for Windows 10, version 1909](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1909-MDM-SecurityBaseLine-Document.zip) - [MDM Security baseline for Windows 10, version 1903](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1903-MDM-SecurityBaseLine-Document.zip) - - [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip) For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all). diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 4d565bd3f7..10d185561f 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -1,976 +1,978 @@ items: -- name: Mobile Device Management - href: index.md - items: - - name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md + - name: Mobile Device Management + href: index.yml items: - - name: Change history for MDM documentation - href: change-history-for-mdm-documentation.md - - name: Device enrollment - href: mobile-device-enrollment.md - items: - - name: MDM enrollment of Windows devices - href: mdm-enrollment-of-windows-devices.md - - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" - href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md - - name: Enroll a Windows 10 device automatically using Group Policy - href: enroll-a-windows-10-device-automatically-using-group-policy.md - - name: Bulk enrollment - href: bulk-enrollment-using-windows-provisioning-tool.md - - name: Federated authentication device enrollment - href: federated-authentication-device-enrollment.md - - name: Certificate authentication device enrollment - href: certificate-authentication-device-enrollment.md - - name: On-premises authentication device enrollment - href: on-premise-authentication-device-enrollment.md - - name: Disconnecting a device from MDM (unenrollment) - href: disconnecting-from-mdm-unenrollment.md - - name: Understanding ADMX policies - href: understanding-admx-backed-policies.md - items: - - name: Enable ADMX policies in MDM - href: enable-admx-backed-policies-in-mdm.md - - name: Win32 and Desktop Bridge app policy configuration - href: win32-and-centennial-app-policy-configuration.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - - name: Enterprise settings, policies, and app management - href: windows-mdm-enterprise-settings.md - items: - - name: Enterprise app management - href: enterprise-app-management.md - items: - - name: Deploy and configure App-V apps using MDM - href: appv-deploy-and-config.md - - name: Management tool for the Microsoft Store for Business - href: management-tool-for-windows-store-for-business.md - - name: REST API reference for Microsoft Store for Business - href: rest-api-reference-windows-store-for-business.md + - name: MDM overview + href: mdm-overview.md + - name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md items: - - name: Data structures for Microsoft Store for Business - href: data-structures-windows-store-for-business.md - - name: Get Inventory - href: get-inventory.md - - name: Get product details - href: get-product-details.md - - name: Get localized product details - href: get-localized-product-details.md - - name: Get offline license - href: get-offline-license.md - - name: Get product packages - href: get-product-packages.md - - name: Get product package - href: get-product-package.md - - name: Get seats - href: get-seats.md - - name: Get seat - href: get-seat.md - - name: Assign seats - href: assign-seats.md - - name: Reclaim seat from user - href: reclaim-seat-from-user.md - - name: Bulk assign and reclaim seats from users - href: bulk-assign-and-reclaim-seats-from-user.md - - name: Get seats assigned to a user - href: get-seats-assigned-to-a-user.md - - name: Mobile device management (MDM) for device updates - href: device-update-management.md - - name: Secured-Core PC Configuration Lock - href: config-lock.md - - name: Certificate renewal - href: certificate-renewal-windows-mdm.md - - name: Using PowerShell scripting with the WMI Bridge Provider - href: using-powershell-scripting-with-the-wmi-bridge-provider.md - - name: WMI providers supported in Windows 10 - href: wmi-providers-supported-in-windows.md - - name: Diagnose MDM failures in Windows 10 - href: diagnose-mdm-failures-in-windows-10.md - - name: Push notification support for device management - href: push-notification-windows-mdm.md - - name: MAM support for device management - href: implement-server-side-mobile-application-management.md - - name: OMA DM protocol support - href: oma-dm-protocol-support.md - items: - - name: Structure of OMA DM provisioning files - href: structure-of-oma-dm-provisioning-files.md - - name: Server requirements for OMA DM - href: server-requirements-windows-mdm.md - - name: DMProcessConfigXMLFiltered - href: dmprocessconfigxmlfiltered.md - - name: Configuration service provider reference - href: configuration-service-provider-reference.md - items: - - name: AccountManagement CSP - href: accountmanagement-csp.md - items: - - name: AccountManagement DDF file - href: accountmanagement-ddf.md - - name: Accounts CSP - href: accounts-csp.md - items: - - name: Accounts DDF file - href: accounts-ddf-file.md - - name: ActiveSync CSP - href: activesync-csp.md - items: - - name: ActiveSync DDF file - href: activesync-ddf-file.md - - name: AllJoynManagement CSP - href: alljoynmanagement-csp.md - items: - - name: AllJoynManagement DDF - href: alljoynmanagement-ddf.md - - name: APPLICATION CSP - href: application-csp.md - - name: ApplicationControl CSP - href: applicationcontrol-csp.md - items: - - name: ApplicationControl DDF file - href: applicationcontrol-csp-ddf.md - - name: AppLocker CSP - href: applocker-csp.md - items: - - name: AppLocker DDF file - href: applocker-ddf-file.md - - name: AppLocker XSD - href: applocker-xsd.md - - name: AssignedAccess CSP - href: assignedaccess-csp.md - items: - - name: AssignedAccess DDF file - href: assignedaccess-ddf.md - - name: BitLocker CSP - href: bitlocker-csp.md - items: - - name: BitLocker DDF file - href: bitlocker-ddf-file.md - - name: CellularSettings CSP - href: cellularsettings-csp.md - - name: CertificateStore CSP - href: certificatestore-csp.md - items: - - name: CertificateStore DDF file - href: certificatestore-ddf-file.md - - name: CleanPC CSP - href: cleanpc-csp.md - items: - - name: CleanPC DDF - href: cleanpc-ddf.md - - name: ClientCertificateInstall CSP - href: clientcertificateinstall-csp.md - items: - - name: ClientCertificateInstall DDF file - href: clientcertificateinstall-ddf-file.md - - name: CM_CellularEntries CSP - href: cm-cellularentries-csp.md - - name: CMPolicy CSP - href: cmpolicy-csp.md - - name: CMPolicyEnterprise CSP - href: cmpolicyenterprise-csp.md - items: - - name: CMPolicyEnterprise DDF file - href: cmpolicyenterprise-ddf-file.md - - name: CustomDeviceUI CSP - href: customdeviceui-csp.md - items: - - name: CustomDeviceUI DDF file - href: customdeviceui-ddf.md - - name: Defender CSP - href: defender-csp.md - items: - - name: Defender DDF file - href: defender-ddf.md - - name: DevDetail CSP - href: devdetail-csp.md - items: - - name: DevDetail DDF file - href: devdetail-ddf-file.md - - name: DeveloperSetup CSP - href: developersetup-csp.md - items: - - name: DeveloperSetup DDF - href: developersetup-ddf.md - - name: DeviceLock CSP - href: devicelock-csp.md - items: - - name: DeviceLock DDF file - href: devicelock-ddf-file.md - - name: DeviceManageability CSP - href: devicemanageability-csp.md - items: - - name: DeviceManageability DDF - href: devicemanageability-ddf.md - - name: DeviceStatus CSP - href: devicestatus-csp.md - items: - - name: DeviceStatus DDF - href: devicestatus-ddf.md - - name: DevInfo CSP - href: devinfo-csp.md - items: - - name: DevInfo DDF file - href: devinfo-ddf-file.md - - name: DiagnosticLog CSP - href: diagnosticlog-csp.md - items: - - name: DiagnosticLog DDF file - href: diagnosticlog-ddf.md - - name: DMAcc CSP - href: dmacc-csp.md - items: - - name: DMAcc DDF file - href: dmacc-ddf-file.md - - name: DMClient CSP - href: dmclient-csp.md - items: - - name: DMClient DDF file - href: dmclient-ddf-file.md - - name: DMSessionActions CSP - href: dmsessionactions-csp.md - items: - - name: DMSessionActions DDF file - href: dmsessionactions-ddf.md - - name: DynamicManagement CSP - href: dynamicmanagement-csp.md - items: - - name: DynamicManagement DDF file - href: dynamicmanagement-ddf.md - - name: EMAIL2 CSP - href: email2-csp.md - items: - - name: EMAIL2 DDF file - href: email2-ddf-file.md - - name: EnrollmentStatusTracking CSP - href: enrollmentstatustracking-csp.md - items: - - name: EnrollmentStatusTracking DDF file - href: enrollmentstatustracking-csp-ddf.md - - name: EnterpriseAPN CSP - href: enterpriseapn-csp.md - items: - - name: EnterpriseAPN DDF - href: enterpriseapn-ddf.md - - name: EnterpriseAppVManagement CSP - href: enterpriseappvmanagement-csp.md - items: - - name: EnterpriseAppVManagement DDF file - href: enterpriseappvmanagement-ddf.md - - name: EnterpriseDataProtection CSP - href: enterprisedataprotection-csp.md - items: - - name: EnterpriseDataProtection DDF file - href: enterprisedataprotection-ddf-file.md - - name: EnterpriseDesktopAppManagement CSP - href: enterprisedesktopappmanagement-csp.md - items: - - name: EnterpriseDesktopAppManagement DDF - href: enterprisedesktopappmanagement-ddf-file.md - - name: EnterpriseDesktopAppManagement XSD - href: enterprisedesktopappmanagement2-xsd.md - - name: EnterpriseModernAppManagement CSP - href: enterprisemodernappmanagement-csp.md - items: - - name: EnterpriseModernAppManagement DDF - href: enterprisemodernappmanagement-ddf.md - - name: EnterpriseModernAppManagement XSD - href: enterprisemodernappmanagement-xsd.md - - name: eUICCs CSP - href: euiccs-csp.md - items: - - name: eUICCs DDF file - href: euiccs-ddf-file.md - - name: Firewall CSP - href: firewall-csp.md - items: - - name: Firewall DDF file - href: firewall-ddf-file.md - - name: HealthAttestation CSP - href: healthattestation-csp.md - items: - - name: HealthAttestation DDF - href: healthattestation-ddf.md - - name: MultiSIM CSP - href: multisim-csp.md - items: - - name: MultiSIM DDF file - href: multisim-ddf.md - - name: NAP CSP - href: nap-csp.md - - name: NAPDEF CSP - href: napdef-csp.md - - name: NetworkProxy CSP - href: networkproxy-csp.md - items: - - name: NetworkProxy DDF file - href: networkproxy-ddf.md - - name: NetworkQoSPolicy CSP - href: networkqospolicy-csp.md - items: - - name: NetworkQoSPolicy DDF file - href: networkqospolicy-ddf.md - - name: NodeCache CSP - href: nodecache-csp.md - items: - - name: NodeCache DDF file - href: nodecache-ddf-file.md - - name: Office CSP - href: office-csp.md - items: - - name: Office DDF - href: office-ddf.md - - name: PassportForWork CSP - href: passportforwork-csp.md - items: - - name: PassportForWork DDF file - href: passportforwork-ddf.md - - name: Personalization CSP - href: personalization-csp.md - items: - - name: Personalization DDF file - href: personalization-ddf.md - - name: Policy CSP - href: policy-configuration-service-provider.md - items: - - name: Policy CSP DDF file - href: policy-ddf-file.md - - name: Policies in Policy CSP supported by Group Policy - href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX policies in Policy CSP - href: policies-in-policy-csp-admx-backed.md - - name: Policies in Policy CSP supported by HoloLens 2 - href: policies-in-policy-csp-supported-by-hololens2.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite - href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md - - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition - href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md - - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise - href: ./configuration-service-provider-reference.md - - name: Policies in Policy CSP supported by Windows 10 IoT Core - href: policies-in-policy-csp-supported-by-iot-core.md - - name: Policies in Policy CSP supported by Microsoft Surface Hub - href: policies-in-policy-csp-supported-by-surface-hub.md - - name: Policy CSPs that can be set using Exchange Active Sync (EAS) - href: policies-in-policy-csp-that-can-be-set-using-eas.md - - name: AboveLock - href: policy-csp-abovelock.md - - name: Accounts - href: policy-csp-accounts.md - - name: ActiveXControls - href: policy-csp-activexcontrols.md - - name: ADMX_ActiveXInstallService - href: policy-csp-admx-activexinstallservice.md - - name: ADMX_AddRemovePrograms - href: policy-csp-admx-addremoveprograms.md - - name: ADMX_AdmPwd - href: policy-csp-admx-admpwd.md - - name: ADMX_AppCompat - href: policy-csp-admx-appcompat.md - - name: ADMX_AppxPackageManager - href: policy-csp-admx-appxpackagemanager.md - - name: ADMX_AppXRuntime - href: policy-csp-admx-appxruntime.md - - name: ADMX_AttachmentManager - href: policy-csp-admx-attachmentmanager.md - - name: ADMX_AuditSettings - href: policy-csp-admx-auditsettings.md - - name: ADMX_Bits - href: policy-csp-admx-bits.md - - name: ADMX_CipherSuiteOrder - href: policy-csp-admx-ciphersuiteorder.md - - name: ADMX_COM - href: policy-csp-admx-com.md - - name: ADMX_ControlPanel - href: policy-csp-admx-controlpanel.md - - name: ADMX_ControlPanelDisplay - href: policy-csp-admx-controlpaneldisplay.md - - name: ADMX_Cpls - href: policy-csp-admx-cpls.md - - name: ADMX_CredentialProviders - href: policy-csp-admx-credentialproviders.md - - name: ADMX_CredSsp - href: policy-csp-admx-credssp.md - - name: ADMX_CredUI - href: policy-csp-admx-credui.md - - name: ADMX_CtrlAltDel - href: policy-csp-admx-ctrlaltdel.md - - name: ADMX_DataCollection - href: policy-csp-admx-datacollection.md - - name: ADMX_DCOM - href: policy-csp-admx-dcom.md - - name: ADMX_Desktop - href: policy-csp-admx-desktop.md - - name: ADMX_DeviceCompat - href: policy-csp-admx-devicecompat.md - - name: ADMX_DeviceGuard - href: policy-csp-admx-deviceguard.md - - name: ADMX_DeviceInstallation - href: policy-csp-admx-deviceinstallation.md - - name: ADMX_DeviceSetup - href: policy-csp-admx-devicesetup.md - - name: ADMX_DFS - href: policy-csp-admx-dfs.md - - name: ADMX_DigitalLocker - href: policy-csp-admx-digitallocker.md - - name: ADMX_DiskDiagnostic - href: policy-csp-admx-diskdiagnostic.md - - name: ADMX_DistributedLinkTracking - href: policy-csp-admx-distributedlinktracking.md - - name: ADMX_DnsClient - href: policy-csp-admx-dnsclient.md - - name: ADMX_DWM - href: policy-csp-admx-dwm.md - - name: ADMX_EAIME - href: policy-csp-admx-eaime.md - - name: ADMX_EncryptFilesonMove - href: policy-csp-admx-encryptfilesonmove.md - - name: ADMX_EventLogging - href: policy-csp-admx-eventlogging.md - - name: ADMX_EnhancedStorage - href: policy-csp-admx-enhancedstorage.md - - name: ADMX_ErrorReporting - href: policy-csp-admx-errorreporting.md - - name: ADMX_EventForwarding - href: policy-csp-admx-eventforwarding.md - - name: ADMX_EventLog - href: policy-csp-admx-eventlog.md - - name: ADMX_EventViewer - href: policy-csp-admx-eventviewer.md - - name: ADMX_Explorer - href: policy-csp-admx-explorer.md - - name: ADMX_ExternalBoot - href: policy-csp-admx-externalboot.md - - name: ADMX_FileRecovery - href: policy-csp-admx-filerecovery.md - - name: ADMX_FileRevocation - href: policy-csp-admx-filerevocation.md - - name: ADMX_FileServerVSSProvider - href: policy-csp-admx-fileservervssprovider.md - - name: ADMX_FileSys - href: policy-csp-admx-filesys.md - - name: ADMX_FolderRedirection - href: policy-csp-admx-folderredirection.md - - name: ADMX_FramePanes - href: policy-csp-admx-framepanes.md - - name: ADMX_FTHSVC - href: policy-csp-admx-fthsvc.md - - name: ADMX_Globalization - href: policy-csp-admx-globalization.md - - name: ADMX_GroupPolicy - href: policy-csp-admx-grouppolicy.md - - name: ADMX_Help - href: policy-csp-admx-help.md - - name: ADMX_HelpAndSupport - href: policy-csp-admx-helpandsupport.md - - name: ADMX_HotSpotAuth - href: policy-csp-admx-hotspotauth.md - - name: ADMX_ICM - href: policy-csp-admx-icm.md - - name: ADMX_IIS - href: policy-csp-admx-iis.md - - name: ADMX_iSCSI - href: policy-csp-admx-iscsi.md - - name: ADMX_kdc - href: policy-csp-admx-kdc.md - - name: ADMX_Kerberos - href: policy-csp-admx-kerberos.md - - name: ADMX_LanmanServer - href: policy-csp-admx-lanmanserver.md - - name: ADMX_LanmanWorkstation - href: policy-csp-admx-lanmanworkstation.md - - name: ADMX_LeakDiagnostic - href: policy-csp-admx-leakdiagnostic.md - - name: ADMX_LinkLayerTopologyDiscovery - href: policy-csp-admx-linklayertopologydiscovery.md - - name: ADMX_LocationProviderAdm - href: policy-csp-admx-locationprovideradm.md - - name: ADMX_Logon - href: policy-csp-admx-logon.md - - name: ADMX_MicrosoftDefenderAntivirus - href: policy-csp-admx-microsoftdefenderantivirus.md - - name: ADMX_MMC - href: policy-csp-admx-mmc.md - - name: ADMX_MMCSnapins - href: policy-csp-admx-mmcsnapins.md - - name: ADMX_MobilePCMobilityCenter - href: policy-csp-admx-mobilepcmobilitycenter.md - - name: ADMX_MobilePCPresentationSettings - href: policy-csp-admx-mobilepcpresentationsettings.md - - name: ADMX_MSAPolicy - href: policy-csp-admx-msapolicy.md - - name: ADMX_msched - href: policy-csp-admx-msched.md - - name: ADMX_MSDT - href: policy-csp-admx-msdt.md - - name: ADMX_MSI - href: policy-csp-admx-msi.md - - name: ADMX_MsiFileRecovery - href: policy-csp-admx-msifilerecovery.md - - name: ADMX_nca - href: policy-csp-admx-nca.md - - name: ADMX_NCSI - href: policy-csp-admx-ncsi.md - - name: ADMX_Netlogon - href: policy-csp-admx-netlogon.md - - name: ADMX_NetworkConnections - href: policy-csp-admx-networkconnections.md - - name: ADMX_OfflineFiles - href: policy-csp-admx-offlinefiles.md - - name: ADMX_pca - href: policy-csp-admx-pca.md - - name: ADMX_PeerToPeerCaching - href: policy-csp-admx-peertopeercaching.md - - name: ADMX_PenTraining - href: policy-csp-admx-pentraining.md - - name: ADMX_PerformanceDiagnostics - href: policy-csp-admx-performancediagnostics.md - - name: ADMX_Power - href: policy-csp-admx-power.md - - name: ADMX_PowerShellExecutionPolicy - href: policy-csp-admx-powershellexecutionpolicy.md - - name: ADMX_PreviousVersions - href: policy-csp-admx-previousversions.md - - name: ADMX_Printing - href: policy-csp-admx-printing.md - - name: ADMX_Printing2 - href: policy-csp-admx-printing2.md - - name: ADMX_Programs - href: policy-csp-admx-programs.md - - name: ADMX_Reliability - href: policy-csp-admx-reliability.md - - name: ADMX_RemoteAssistance - href: policy-csp-admx-remoteassistance.md - - name: ADMX_RemovableStorage - href: policy-csp-admx-removablestorage.md - - name: ADMX_RPC - href: policy-csp-admx-rpc.md - - name: ADMX_Scripts - href: policy-csp-admx-scripts.md - - name: ADMX_sdiageng - href: policy-csp-admx-sdiageng.md - - name: ADMX_sdiagschd - href: policy-csp-admx-sdiagschd.md - - name: ADMX_Securitycenter - href: policy-csp-admx-securitycenter.md - - name: ADMX_Sensors - href: policy-csp-admx-sensors.md - - name: ADMX_ServerManager - href: policy-csp-admx-servermanager.md - - name: ADMX_Servicing - href: policy-csp-admx-servicing.md - - name: ADMX_SettingSync - href: policy-csp-admx-settingsync.md - - name: ADMX_SharedFolders - href: policy-csp-admx-sharedfolders.md - - name: ADMX_Sharing - href: policy-csp-admx-sharing.md - - name: ADMX_ShellCommandPromptRegEditTools - href: policy-csp-admx-shellcommandpromptregedittools.md - - name: ADMX_Smartcard - href: policy-csp-admx-smartcard.md - - name: ADMX_Snmp - href: policy-csp-admx-snmp.md - - name: ADMX_StartMenu - href: policy-csp-admx-startmenu.md - - name: ADMX_SystemRestore - href: policy-csp-admx-systemrestore.md - - name: ADMX_TabletShell - href: policy-csp-admx-tabletshell.md - - name: ADMX_Taskbar - href: policy-csp-admx-taskbar.md - - name: ADMX_tcpip - href: policy-csp-admx-tcpip.md - - name: ADMX_TerminalServer - href: policy-csp-admx-terminalserver.md - - name: ADMX_Thumbnails - href: policy-csp-admx-thumbnails.md - - name: ADMX_TouchInput - href: policy-csp-admx-touchinput.md - - name: ADMX_TPM - href: policy-csp-admx-tpm.md - - name: ADMX_UserExperienceVirtualization - href: policy-csp-admx-userexperiencevirtualization.md - - name: ADMX_UserProfiles - href: policy-csp-admx-userprofiles.md - - name: ADMX_W32Time - href: policy-csp-admx-w32time.md - - name: ADMX_WCM - href: policy-csp-admx-wcm.md - - name: ADMX_WDI - href: policy-csp-admx-wdi.md - - name: ADMX_WinCal - href: policy-csp-admx-wincal.md - - name: ADMX_WindowsConnectNow - href: policy-csp-admx-windowsconnectnow.md - - name: ADMX_WindowsExplorer - href: policy-csp-admx-windowsexplorer.md - - name: ADMX_WindowsMediaDRM - href: policy-csp-admx-windowsmediadrm.md - - name: ADMX_WindowsMediaPlayer - href: policy-csp-admx-windowsmediaplayer.md - - name: ADMX_WindowsRemoteManagement - href: policy-csp-admx-windowsremotemanagement.md - - name: ADMX_WindowsStore - href: policy-csp-admx-windowsstore.md - - name: ADMX_WinInit - href: policy-csp-admx-wininit.md - - name: ADMX_WinLogon - href: policy-csp-admx-winlogon.md - - name: ADMX-Winsrv - href: policy-csp-admx-winsrv.md - - name: ADMX_wlansvc - href: policy-csp-admx-wlansvc.md - - name: ADMX_WordWheel - href: policy-csp-admx-wordwheel.md - - name: ADMX_WorkFoldersClient - href: policy-csp-admx-workfoldersclient.md - - name: ADMX_WPN - href: policy-csp-admx-wpn.md - - name: ApplicationDefaults - href: policy-csp-applicationdefaults.md - - name: ApplicationManagement - href: policy-csp-applicationmanagement.md - - name: AppRuntime - href: policy-csp-appruntime.md - - name: AppVirtualization - href: policy-csp-appvirtualization.md - - name: AttachmentManager - href: policy-csp-attachmentmanager.md - - name: Audit - href: policy-csp-audit.md - - name: Authentication - href: policy-csp-authentication.md - - name: Autoplay - href: policy-csp-autoplay.md - - name: BitLocker - href: policy-csp-bitlocker.md - - name: BITS - href: policy-csp-bits.md - - name: Bluetooth - href: policy-csp-bluetooth.md - - name: Browser - href: policy-csp-browser.md - - name: Camera - href: policy-csp-camera.md - - name: Cellular - href: policy-csp-cellular.md - - name: Connectivity - href: policy-csp-connectivity.md - - name: ControlPolicyConflict - href: policy-csp-controlpolicyconflict.md - - name: CredentialsDelegation - href: policy-csp-credentialsdelegation.md - - name: CredentialProviders - href: policy-csp-credentialproviders.md - - name: CredentialsUI - href: policy-csp-credentialsui.md - - name: Cryptography - href: policy-csp-cryptography.md - - name: DataProtection - href: policy-csp-dataprotection.md - - name: DataUsage - href: policy-csp-datausage.md - - name: Defender - href: policy-csp-defender.md - - name: DeliveryOptimization - href: policy-csp-deliveryoptimization.md - - name: Desktop - href: policy-csp-desktop.md - - name: DeviceGuard - href: policy-csp-deviceguard.md - - name: DeviceHealthMonitoring - href: policy-csp-devicehealthmonitoring.md - - name: DeviceInstallation - href: policy-csp-deviceinstallation.md - - name: DeviceLock - href: policy-csp-devicelock.md - - name: Display - href: policy-csp-display.md - - name: DmaGuard - href: policy-csp-dmaguard.md - - name: EAP - href: policy-csp-eap.md - - name: Education - href: policy-csp-education.md - - name: EnterpriseCloudPrint - href: policy-csp-enterprisecloudprint.md - - name: ErrorReporting - href: policy-csp-errorreporting.md - - name: EventLogService - href: policy-csp-eventlogservice.md - - name: Experience - href: policy-csp-experience.md - - name: ExploitGuard - href: policy-csp-exploitguard.md - - name: Feeds - href: policy-csp-feeds.md - - name: FileExplorer - href: policy-csp-fileexplorer.md - - name: Games - href: policy-csp-games.md - - name: Handwriting - href: policy-csp-handwriting.md - - name: HumanPresence - href: policy-csp-humanpresence.md - - name: InternetExplorer - href: policy-csp-internetexplorer.md - - name: Kerberos - href: policy-csp-kerberos.md - - name: KioskBrowser - href: policy-csp-kioskbrowser.md - - name: LanmanWorkstation - href: policy-csp-lanmanworkstation.md - - name: Licensing - href: policy-csp-licensing.md - - name: LocalPoliciesSecurityOptions - href: policy-csp-localpoliciessecurityoptions.md - - name: LocalUsersAndGroups - href: policy-csp-localusersandgroups.md - - name: LockDown - href: policy-csp-lockdown.md - - name: Maps - href: policy-csp-maps.md - - name: MemoryDump - href: policy-csp-memorydump.md - - name: Messaging - href: policy-csp-messaging.md - - name: MixedReality - href: policy-csp-mixedreality.md - - name: MSSecurityGuide - href: policy-csp-mssecurityguide.md - - name: MSSLegacy - href: policy-csp-msslegacy.md - - name: Multitasking - href: policy-csp-multitasking.md - - name: NetworkIsolation - href: policy-csp-networkisolation.md - - name: NetworkListManager - href: policy-csp-networklistmanager.md - - name: NewsAndInterests - href: policy-csp-newsandinterests.md - - name: Notifications - href: policy-csp-notifications.md - - name: Power - href: policy-csp-power.md - - name: Printers - href: policy-csp-printers.md - - name: Privacy - href: policy-csp-privacy.md - - name: RemoteAssistance - href: policy-csp-remoteassistance.md - - name: RemoteDesktop - href: policy-csp-remotedesktop.md - - name: RemoteDesktopServices - href: policy-csp-remotedesktopservices.md - - name: RemoteManagement - href: policy-csp-remotemanagement.md - - name: RemoteProcedureCall - href: policy-csp-remoteprocedurecall.md - - name: RemoteShell - href: policy-csp-remoteshell.md - - name: RestrictedGroups - href: policy-csp-restrictedgroups.md - - name: Search - href: policy-csp-search.md - - name: Security - href: policy-csp-security.md - - name: ServiceControlManager - href: policy-csp-servicecontrolmanager.md - - name: Settings - href: policy-csp-settings.md - - name: Speech - href: policy-csp-speech.md - - name: Start - href: policy-csp-start.md - - name: Storage - href: policy-csp-storage.md - - name: System - href: policy-csp-system.md - - name: SystemServices - href: policy-csp-systemservices.md - - name: TaskManager - href: policy-csp-taskmanager.md - - name: TaskScheduler - href: policy-csp-taskscheduler.md - - name: TextInput - href: policy-csp-textinput.md - - name: TimeLanguageSettings - href: policy-csp-timelanguagesettings.md - - name: Troubleshooting - href: policy-csp-troubleshooting.md - - name: Update - href: policy-csp-update.md - - name: UserRights - href: policy-csp-userrights.md - - name: VirtualizationBasedTechnology - href: policy-csp-virtualizationbasedtechnology.md - - name: Wifi - href: policy-csp-wifi.md - - name: WindowsAutoPilot - href: policy-csp-windowsautopilot.md - - name: WindowsConnectionManager - href: policy-csp-windowsconnectionmanager.md - - name: WindowsDefenderSecurityCenter - href: policy-csp-windowsdefendersecuritycenter.md - - name: WindowsDefenderSmartScreen - href: policy-csp-smartscreen.md - - name: WindowsInkWorkspace - href: policy-csp-windowsinkworkspace.md - - name: WindowsLogon - href: policy-csp-windowslogon.md - - name: WindowsPowerShell - href: policy-csp-windowspowershell.md - - name: WindowsSandbox - href: policy-csp-windowssandbox.md - - name: WirelessDisplay - href: policy-csp-wirelessdisplay.md - - name: Provisioning CSP - href: provisioning-csp.md - - name: PXLOGICAL CSP - href: pxlogical-csp.md - - name: Reboot CSP - href: reboot-csp.md - items: - - name: Reboot DDF file - href: reboot-ddf-file.md - - name: RemoteFind CSP - href: remotefind-csp.md - items: - - name: RemoteFind DDF file - href: remotefind-ddf-file.md - - name: RemoteWipe CSP - href: remotewipe-csp.md - items: - - name: RemoteWipe DDF file - href: remotewipe-ddf-file.md - - name: Reporting CSP - href: reporting-csp.md - items: - - name: Reporting DDF file - href: reporting-ddf-file.md - - name: RootCATrustedCertificates CSP - href: rootcacertificates-csp.md - items: - - name: RootCATrustedCertificates DDF file - href: rootcacertificates-ddf-file.md - - name: SecureAssessment CSP - href: secureassessment-csp.md - items: - - name: SecureAssessment DDF file - href: secureassessment-ddf-file.md - - name: SecurityPolicy CSP - href: securitypolicy-csp.md - - name: SharedPC CSP - href: sharedpc-csp.md - items: - - name: SharedPC DDF file - href: sharedpc-ddf-file.md - - name: Storage CSP - href: storage-csp.md - items: - - name: Storage DDF file - href: storage-ddf-file.md - - name: SUPL CSP - href: supl-csp.md - items: - - name: SUPL DDF file - href: supl-ddf-file.md - - name: SurfaceHub CSP - href: surfacehub-csp.md - items: - - name: SurfaceHub DDF file - href: surfacehub-ddf-file.md - - name: TenantLockdown CSP - href: tenantlockdown-csp.md - items: - - name: TenantLockdown DDF file - href: tenantlockdown-ddf.md - - name: TPMPolicy CSP - href: tpmpolicy-csp.md - items: - - name: TPMPolicy DDF file - href: tpmpolicy-ddf-file.md - - name: UEFI CSP - href: uefi-csp.md - items: - - name: UEFI DDF file - href: uefi-ddf.md - - name: UnifiedWriteFilter CSP - href: unifiedwritefilter-csp.md - items: - - name: UnifiedWriteFilter DDF file - href: unifiedwritefilter-ddf.md - - name: UniversalPrint CSP - href: universalprint-csp.md - items: - - name: UniversalPrint DDF file - href: universalprint-ddf-file.md - - name: Update CSP - href: update-csp.md - items: - - name: Update DDF file - href: update-ddf-file.md - - name: VPN CSP - href: vpn-csp.md - items: - - name: VPN DDF file - href: vpn-ddf-file.md - - name: VPNv2 CSP - href: vpnv2-csp.md - items: - - name: VPNv2 DDF file - href: vpnv2-ddf-file.md - - name: ProfileXML XSD - href: vpnv2-profile-xsd.md - - name: EAP configuration - href: eap-configuration.md - - name: w4 APPLICATION CSP - href: w4-application-csp.md - - name: w7 APPLICATION CSP - href: w7-application-csp.md - - name: WiFi CSP - href: wifi-csp.md - items: - - name: WiFi DDF file - href: wifi-ddf-file.md - - name: Win32AppInventory CSP - href: win32appinventory-csp.md - items: - - name: Win32AppInventory DDF file - href: win32appinventory-ddf-file.md - - name: Win32CompatibilityAppraiser CSP - href: win32compatibilityappraiser-csp.md - items: - - name: Win32CompatibilityAppraiser DDF file - href: win32compatibilityappraiser-ddf.md - - name: WindowsAdvancedThreatProtection CSP - href: windowsadvancedthreatprotection-csp.md - items: - - name: WindowsAdvancedThreatProtection DDF file - href: windowsadvancedthreatprotection-ddf.md - - name: WindowsAutopilot CSP - href: windowsautopilot-csp.md - items: - - name: WindowsAutopilot DDF file - href: windowsautopilot-ddf-file.md - - name: WindowsDefenderApplicationGuard CSP - href: windowsdefenderapplicationguard-csp.md - items: - - name: WindowsDefenderApplicationGuard DDF file - href: windowsdefenderapplicationguard-ddf-file.md - - name: WindowsLicensing CSP - href: windowslicensing-csp.md - items: - - name: WindowsLicensing DDF file - href: windowslicensing-ddf-file.md - - name: WiredNetwork CSP - href: wirednetwork-csp.md - items: - - name: WiredNetwork DDF file - href: wirednetwork-ddf-file.md + - name: Change history for MDM documentation + href: change-history-for-mdm-documentation.md + - name: Device enrollment + href: mobile-device-enrollment.md + items: + - name: MDM enrollment of Windows devices + href: mdm-enrollment-of-windows-devices.md + - name: "Azure AD and Microsoft Intune: Automatic MDM enrollment" + href: azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md + - name: Enroll a Windows 10 device automatically using Group Policy + href: enroll-a-windows-10-device-automatically-using-group-policy.md + - name: Bulk enrollment + href: bulk-enrollment-using-windows-provisioning-tool.md + - name: Federated authentication device enrollment + href: federated-authentication-device-enrollment.md + - name: Certificate authentication device enrollment + href: certificate-authentication-device-enrollment.md + - name: On-premises authentication device enrollment + href: on-premise-authentication-device-enrollment.md + - name: Disconnecting a device from MDM (unenrollment) + href: disconnecting-from-mdm-unenrollment.md + - name: Understanding ADMX policies + href: understanding-admx-backed-policies.md + items: + - name: Enable ADMX policies in MDM + href: enable-admx-backed-policies-in-mdm.md + - name: Win32 and Desktop Bridge app policy configuration + href: win32-and-centennial-app-policy-configuration.md + - name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md + - name: Enterprise settings, policies, and app management + href: windows-mdm-enterprise-settings.md + items: + - name: Enterprise app management + href: enterprise-app-management.md + items: + - name: Deploy and configure App-V apps using MDM + href: appv-deploy-and-config.md + - name: Management tool for the Microsoft Store for Business + href: management-tool-for-windows-store-for-business.md + - name: REST API reference for Microsoft Store for Business + href: rest-api-reference-windows-store-for-business.md + items: + - name: Data structures for Microsoft Store for Business + href: data-structures-windows-store-for-business.md + - name: Get Inventory + href: get-inventory.md + - name: Get product details + href: get-product-details.md + - name: Get localized product details + href: get-localized-product-details.md + - name: Get offline license + href: get-offline-license.md + - name: Get product packages + href: get-product-packages.md + - name: Get product package + href: get-product-package.md + - name: Get seats + href: get-seats.md + - name: Get seat + href: get-seat.md + - name: Assign seats + href: assign-seats.md + - name: Reclaim seat from user + href: reclaim-seat-from-user.md + - name: Bulk assign and reclaim seats from users + href: bulk-assign-and-reclaim-seats-from-user.md + - name: Get seats assigned to a user + href: get-seats-assigned-to-a-user.md + - name: Mobile device management (MDM) for device updates + href: device-update-management.md + - name: Secured-Core PC Configuration Lock + href: config-lock.md + - name: Certificate renewal + href: certificate-renewal-windows-mdm.md + - name: Using PowerShell scripting with the WMI Bridge Provider + href: using-powershell-scripting-with-the-wmi-bridge-provider.md + - name: WMI providers supported in Windows 10 + href: wmi-providers-supported-in-windows.md + - name: Diagnose MDM failures in Windows 10 + href: diagnose-mdm-failures-in-windows-10.md + - name: Push notification support for device management + href: push-notification-windows-mdm.md + - name: MAM support for device management + href: implement-server-side-mobile-application-management.md + - name: OMA DM protocol support + href: oma-dm-protocol-support.md + items: + - name: Structure of OMA DM provisioning files + href: structure-of-oma-dm-provisioning-files.md + - name: Server requirements for OMA DM + href: server-requirements-windows-mdm.md + - name: DMProcessConfigXMLFiltered + href: dmprocessconfigxmlfiltered.md + - name: Configuration service provider reference + href: configuration-service-provider-reference.md + items: + - name: AccountManagement CSP + href: accountmanagement-csp.md + items: + - name: AccountManagement DDF file + href: accountmanagement-ddf.md + - name: Accounts CSP + href: accounts-csp.md + items: + - name: Accounts DDF file + href: accounts-ddf-file.md + - name: ActiveSync CSP + href: activesync-csp.md + items: + - name: ActiveSync DDF file + href: activesync-ddf-file.md + - name: AllJoynManagement CSP + href: alljoynmanagement-csp.md + items: + - name: AllJoynManagement DDF + href: alljoynmanagement-ddf.md + - name: APPLICATION CSP + href: application-csp.md + - name: ApplicationControl CSP + href: applicationcontrol-csp.md + items: + - name: ApplicationControl DDF file + href: applicationcontrol-csp-ddf.md + - name: AppLocker CSP + href: applocker-csp.md + items: + - name: AppLocker DDF file + href: applocker-ddf-file.md + - name: AppLocker XSD + href: applocker-xsd.md + - name: AssignedAccess CSP + href: assignedaccess-csp.md + items: + - name: AssignedAccess DDF file + href: assignedaccess-ddf.md + - name: BitLocker CSP + href: bitlocker-csp.md + items: + - name: BitLocker DDF file + href: bitlocker-ddf-file.md + - name: CellularSettings CSP + href: cellularsettings-csp.md + - name: CertificateStore CSP + href: certificatestore-csp.md + items: + - name: CertificateStore DDF file + href: certificatestore-ddf-file.md + - name: CleanPC CSP + href: cleanpc-csp.md + items: + - name: CleanPC DDF + href: cleanpc-ddf.md + - name: ClientCertificateInstall CSP + href: clientcertificateinstall-csp.md + items: + - name: ClientCertificateInstall DDF file + href: clientcertificateinstall-ddf-file.md + - name: CM_CellularEntries CSP + href: cm-cellularentries-csp.md + - name: CMPolicy CSP + href: cmpolicy-csp.md + - name: CMPolicyEnterprise CSP + href: cmpolicyenterprise-csp.md + items: + - name: CMPolicyEnterprise DDF file + href: cmpolicyenterprise-ddf-file.md + - name: CustomDeviceUI CSP + href: customdeviceui-csp.md + items: + - name: CustomDeviceUI DDF file + href: customdeviceui-ddf.md + - name: Defender CSP + href: defender-csp.md + items: + - name: Defender DDF file + href: defender-ddf.md + - name: DevDetail CSP + href: devdetail-csp.md + items: + - name: DevDetail DDF file + href: devdetail-ddf-file.md + - name: DeveloperSetup CSP + href: developersetup-csp.md + items: + - name: DeveloperSetup DDF + href: developersetup-ddf.md + - name: DeviceLock CSP + href: devicelock-csp.md + items: + - name: DeviceLock DDF file + href: devicelock-ddf-file.md + - name: DeviceManageability CSP + href: devicemanageability-csp.md + items: + - name: DeviceManageability DDF + href: devicemanageability-ddf.md + - name: DeviceStatus CSP + href: devicestatus-csp.md + items: + - name: DeviceStatus DDF + href: devicestatus-ddf.md + - name: DevInfo CSP + href: devinfo-csp.md + items: + - name: DevInfo DDF file + href: devinfo-ddf-file.md + - name: DiagnosticLog CSP + href: diagnosticlog-csp.md + items: + - name: DiagnosticLog DDF file + href: diagnosticlog-ddf.md + - name: DMAcc CSP + href: dmacc-csp.md + items: + - name: DMAcc DDF file + href: dmacc-ddf-file.md + - name: DMClient CSP + href: dmclient-csp.md + items: + - name: DMClient DDF file + href: dmclient-ddf-file.md + - name: DMSessionActions CSP + href: dmsessionactions-csp.md + items: + - name: DMSessionActions DDF file + href: dmsessionactions-ddf.md + - name: DynamicManagement CSP + href: dynamicmanagement-csp.md + items: + - name: DynamicManagement DDF file + href: dynamicmanagement-ddf.md + - name: EMAIL2 CSP + href: email2-csp.md + items: + - name: EMAIL2 DDF file + href: email2-ddf-file.md + - name: EnrollmentStatusTracking CSP + href: enrollmentstatustracking-csp.md + items: + - name: EnrollmentStatusTracking DDF file + href: enrollmentstatustracking-csp-ddf.md + - name: EnterpriseAPN CSP + href: enterpriseapn-csp.md + items: + - name: EnterpriseAPN DDF + href: enterpriseapn-ddf.md + - name: EnterpriseAppVManagement CSP + href: enterpriseappvmanagement-csp.md + items: + - name: EnterpriseAppVManagement DDF file + href: enterpriseappvmanagement-ddf.md + - name: EnterpriseDataProtection CSP + href: enterprisedataprotection-csp.md + items: + - name: EnterpriseDataProtection DDF file + href: enterprisedataprotection-ddf-file.md + - name: EnterpriseDesktopAppManagement CSP + href: enterprisedesktopappmanagement-csp.md + items: + - name: EnterpriseDesktopAppManagement DDF + href: enterprisedesktopappmanagement-ddf-file.md + - name: EnterpriseDesktopAppManagement XSD + href: enterprisedesktopappmanagement2-xsd.md + - name: EnterpriseModernAppManagement CSP + href: enterprisemodernappmanagement-csp.md + items: + - name: EnterpriseModernAppManagement DDF + href: enterprisemodernappmanagement-ddf.md + - name: EnterpriseModernAppManagement XSD + href: enterprisemodernappmanagement-xsd.md + - name: eUICCs CSP + href: euiccs-csp.md + items: + - name: eUICCs DDF file + href: euiccs-ddf-file.md + - name: Firewall CSP + href: firewall-csp.md + items: + - name: Firewall DDF file + href: firewall-ddf-file.md + - name: HealthAttestation CSP + href: healthattestation-csp.md + items: + - name: HealthAttestation DDF + href: healthattestation-ddf.md + - name: MultiSIM CSP + href: multisim-csp.md + items: + - name: MultiSIM DDF file + href: multisim-ddf.md + - name: NAP CSP + href: nap-csp.md + - name: NAPDEF CSP + href: napdef-csp.md + - name: NetworkProxy CSP + href: networkproxy-csp.md + items: + - name: NetworkProxy DDF file + href: networkproxy-ddf.md + - name: NetworkQoSPolicy CSP + href: networkqospolicy-csp.md + items: + - name: NetworkQoSPolicy DDF file + href: networkqospolicy-ddf.md + - name: NodeCache CSP + href: nodecache-csp.md + items: + - name: NodeCache DDF file + href: nodecache-ddf-file.md + - name: Office CSP + href: office-csp.md + items: + - name: Office DDF + href: office-ddf.md + - name: PassportForWork CSP + href: passportforwork-csp.md + items: + - name: PassportForWork DDF file + href: passportforwork-ddf.md + - name: Personalization CSP + href: personalization-csp.md + items: + - name: Personalization DDF file + href: personalization-ddf.md + - name: Policy CSP + href: policy-configuration-service-provider.md + items: + - name: Policy CSP DDF file + href: policy-ddf-file.md + - name: Policies in Policy CSP supported by Group Policy + href: policies-in-policy-csp-supported-by-group-policy.md + - name: ADMX policies in Policy CSP + href: policies-in-policy-csp-admx-backed.md + - name: Policies in Policy CSP supported by HoloLens 2 + href: policies-in-policy-csp-supported-by-hololens2.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite + href: policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md + - name: Policies in Policy CSP supported by HoloLens (1st gen) Development Edition + href: policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md + - name: Policies in Policy CSP supported by Windows 10 IoT Enterprise + href: ./configuration-service-provider-reference.md + - name: Policies in Policy CSP supported by Windows 10 IoT Core + href: policies-in-policy-csp-supported-by-iot-core.md + - name: Policies in Policy CSP supported by Microsoft Surface Hub + href: policies-in-policy-csp-supported-by-surface-hub.md + - name: Policy CSPs that can be set using Exchange Active Sync (EAS) + href: policies-in-policy-csp-that-can-be-set-using-eas.md + - name: AboveLock + href: policy-csp-abovelock.md + - name: Accounts + href: policy-csp-accounts.md + - name: ActiveXControls + href: policy-csp-activexcontrols.md + - name: ADMX_ActiveXInstallService + href: policy-csp-admx-activexinstallservice.md + - name: ADMX_AddRemovePrograms + href: policy-csp-admx-addremoveprograms.md + - name: ADMX_AdmPwd + href: policy-csp-admx-admpwd.md + - name: ADMX_AppCompat + href: policy-csp-admx-appcompat.md + - name: ADMX_AppxPackageManager + href: policy-csp-admx-appxpackagemanager.md + - name: ADMX_AppXRuntime + href: policy-csp-admx-appxruntime.md + - name: ADMX_AttachmentManager + href: policy-csp-admx-attachmentmanager.md + - name: ADMX_AuditSettings + href: policy-csp-admx-auditsettings.md + - name: ADMX_Bits + href: policy-csp-admx-bits.md + - name: ADMX_CipherSuiteOrder + href: policy-csp-admx-ciphersuiteorder.md + - name: ADMX_COM + href: policy-csp-admx-com.md + - name: ADMX_ControlPanel + href: policy-csp-admx-controlpanel.md + - name: ADMX_ControlPanelDisplay + href: policy-csp-admx-controlpaneldisplay.md + - name: ADMX_Cpls + href: policy-csp-admx-cpls.md + - name: ADMX_CredentialProviders + href: policy-csp-admx-credentialproviders.md + - name: ADMX_CredSsp + href: policy-csp-admx-credssp.md + - name: ADMX_CredUI + href: policy-csp-admx-credui.md + - name: ADMX_CtrlAltDel + href: policy-csp-admx-ctrlaltdel.md + - name: ADMX_DataCollection + href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md + - name: ADMX_Desktop + href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md + - name: ADMX_DeviceInstallation + href: policy-csp-admx-deviceinstallation.md + - name: ADMX_DeviceSetup + href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md + - name: ADMX_DigitalLocker + href: policy-csp-admx-digitallocker.md + - name: ADMX_DiskDiagnostic + href: policy-csp-admx-diskdiagnostic.md + - name: ADMX_DistributedLinkTracking + href: policy-csp-admx-distributedlinktracking.md + - name: ADMX_DnsClient + href: policy-csp-admx-dnsclient.md + - name: ADMX_DWM + href: policy-csp-admx-dwm.md + - name: ADMX_EAIME + href: policy-csp-admx-eaime.md + - name: ADMX_EncryptFilesonMove + href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md + - name: ADMX_EnhancedStorage + href: policy-csp-admx-enhancedstorage.md + - name: ADMX_ErrorReporting + href: policy-csp-admx-errorreporting.md + - name: ADMX_EventForwarding + href: policy-csp-admx-eventforwarding.md + - name: ADMX_EventLog + href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md + - name: ADMX_Explorer + href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md + - name: ADMX_FileRecovery + href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md + - name: ADMX_FileServerVSSProvider + href: policy-csp-admx-fileservervssprovider.md + - name: ADMX_FileSys + href: policy-csp-admx-filesys.md + - name: ADMX_FolderRedirection + href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md + - name: ADMX_Globalization + href: policy-csp-admx-globalization.md + - name: ADMX_GroupPolicy + href: policy-csp-admx-grouppolicy.md + - name: ADMX_Help + href: policy-csp-admx-help.md + - name: ADMX_HelpAndSupport + href: policy-csp-admx-helpandsupport.md + - name: ADMX_HotSpotAuth + href: policy-csp-admx-hotspotauth.md + - name: ADMX_ICM + href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md + - name: ADMX_iSCSI + href: policy-csp-admx-iscsi.md + - name: ADMX_kdc + href: policy-csp-admx-kdc.md + - name: ADMX_Kerberos + href: policy-csp-admx-kerberos.md + - name: ADMX_LanmanServer + href: policy-csp-admx-lanmanserver.md + - name: ADMX_LanmanWorkstation + href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md + - name: ADMX_LinkLayerTopologyDiscovery + href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md + - name: ADMX_Logon + href: policy-csp-admx-logon.md + - name: ADMX_MicrosoftDefenderAntivirus + href: policy-csp-admx-microsoftdefenderantivirus.md + - name: ADMX_MMC + href: policy-csp-admx-mmc.md + - name: ADMX_MMCSnapins + href: policy-csp-admx-mmcsnapins.md + - name: ADMX_MobilePCMobilityCenter + href: policy-csp-admx-mobilepcmobilitycenter.md + - name: ADMX_MobilePCPresentationSettings + href: policy-csp-admx-mobilepcpresentationsettings.md + - name: ADMX_MSAPolicy + href: policy-csp-admx-msapolicy.md + - name: ADMX_msched + href: policy-csp-admx-msched.md + - name: ADMX_MSDT + href: policy-csp-admx-msdt.md + - name: ADMX_MSI + href: policy-csp-admx-msi.md + - name: ADMX_MsiFileRecovery + href: policy-csp-admx-msifilerecovery.md + - name: ADMX_nca + href: policy-csp-admx-nca.md + - name: ADMX_NCSI + href: policy-csp-admx-ncsi.md + - name: ADMX_Netlogon + href: policy-csp-admx-netlogon.md + - name: ADMX_NetworkConnections + href: policy-csp-admx-networkconnections.md + - name: ADMX_OfflineFiles + href: policy-csp-admx-offlinefiles.md + - name: ADMX_pca + href: policy-csp-admx-pca.md + - name: ADMX_PeerToPeerCaching + href: policy-csp-admx-peertopeercaching.md + - name: ADMX_PenTraining + href: policy-csp-admx-pentraining.md + - name: ADMX_PerformanceDiagnostics + href: policy-csp-admx-performancediagnostics.md + - name: ADMX_Power + href: policy-csp-admx-power.md + - name: ADMX_PowerShellExecutionPolicy + href: policy-csp-admx-powershellexecutionpolicy.md + - name: ADMX_PreviousVersions + href: policy-csp-admx-previousversions.md + - name: ADMX_Printing + href: policy-csp-admx-printing.md + - name: ADMX_Printing2 + href: policy-csp-admx-printing2.md + - name: ADMX_Programs + href: policy-csp-admx-programs.md + - name: ADMX_Reliability + href: policy-csp-admx-reliability.md + - name: ADMX_RemoteAssistance + href: policy-csp-admx-remoteassistance.md + - name: ADMX_RemovableStorage + href: policy-csp-admx-removablestorage.md + - name: ADMX_RPC + href: policy-csp-admx-rpc.md + - name: ADMX_Scripts + href: policy-csp-admx-scripts.md + - name: ADMX_sdiageng + href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md + - name: ADMX_Securitycenter + href: policy-csp-admx-securitycenter.md + - name: ADMX_Sensors + href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md + - name: ADMX_Servicing + href: policy-csp-admx-servicing.md + - name: ADMX_SettingSync + href: policy-csp-admx-settingsync.md + - name: ADMX_SharedFolders + href: policy-csp-admx-sharedfolders.md + - name: ADMX_Sharing + href: policy-csp-admx-sharing.md + - name: ADMX_ShellCommandPromptRegEditTools + href: policy-csp-admx-shellcommandpromptregedittools.md + - name: ADMX_Smartcard + href: policy-csp-admx-smartcard.md + - name: ADMX_Snmp + href: policy-csp-admx-snmp.md + - name: ADMX_StartMenu + href: policy-csp-admx-startmenu.md + - name: ADMX_SystemRestore + href: policy-csp-admx-systemrestore.md + - name: ADMX_TabletShell + href: policy-csp-admx-tabletshell.md + - name: ADMX_Taskbar + href: policy-csp-admx-taskbar.md + - name: ADMX_tcpip + href: policy-csp-admx-tcpip.md + - name: ADMX_TerminalServer + href: policy-csp-admx-terminalserver.md + - name: ADMX_Thumbnails + href: policy-csp-admx-thumbnails.md + - name: ADMX_TouchInput + href: policy-csp-admx-touchinput.md + - name: ADMX_TPM + href: policy-csp-admx-tpm.md + - name: ADMX_UserExperienceVirtualization + href: policy-csp-admx-userexperiencevirtualization.md + - name: ADMX_UserProfiles + href: policy-csp-admx-userprofiles.md + - name: ADMX_W32Time + href: policy-csp-admx-w32time.md + - name: ADMX_WCM + href: policy-csp-admx-wcm.md + - name: ADMX_WDI + href: policy-csp-admx-wdi.md + - name: ADMX_WinCal + href: policy-csp-admx-wincal.md + - name: ADMX_WindowsConnectNow + href: policy-csp-admx-windowsconnectnow.md + - name: ADMX_WindowsExplorer + href: policy-csp-admx-windowsexplorer.md + - name: ADMX_WindowsMediaDRM + href: policy-csp-admx-windowsmediadrm.md + - name: ADMX_WindowsMediaPlayer + href: policy-csp-admx-windowsmediaplayer.md + - name: ADMX_WindowsRemoteManagement + href: policy-csp-admx-windowsremotemanagement.md + - name: ADMX_WindowsStore + href: policy-csp-admx-windowsstore.md + - name: ADMX_WinInit + href: policy-csp-admx-wininit.md + - name: ADMX_WinLogon + href: policy-csp-admx-winlogon.md + - name: ADMX-Winsrv + href: policy-csp-admx-winsrv.md + - name: ADMX_wlansvc + href: policy-csp-admx-wlansvc.md + - name: ADMX_WordWheel + href: policy-csp-admx-wordwheel.md + - name: ADMX_WorkFoldersClient + href: policy-csp-admx-workfoldersclient.md + - name: ADMX_WPN + href: policy-csp-admx-wpn.md + - name: ApplicationDefaults + href: policy-csp-applicationdefaults.md + - name: ApplicationManagement + href: policy-csp-applicationmanagement.md + - name: AppRuntime + href: policy-csp-appruntime.md + - name: AppVirtualization + href: policy-csp-appvirtualization.md + - name: AttachmentManager + href: policy-csp-attachmentmanager.md + - name: Audit + href: policy-csp-audit.md + - name: Authentication + href: policy-csp-authentication.md + - name: Autoplay + href: policy-csp-autoplay.md + - name: BitLocker + href: policy-csp-bitlocker.md + - name: BITS + href: policy-csp-bits.md + - name: Bluetooth + href: policy-csp-bluetooth.md + - name: Browser + href: policy-csp-browser.md + - name: Camera + href: policy-csp-camera.md + - name: Cellular + href: policy-csp-cellular.md + - name: Connectivity + href: policy-csp-connectivity.md + - name: ControlPolicyConflict + href: policy-csp-controlpolicyconflict.md + - name: CredentialsDelegation + href: policy-csp-credentialsdelegation.md + - name: CredentialProviders + href: policy-csp-credentialproviders.md + - name: CredentialsUI + href: policy-csp-credentialsui.md + - name: Cryptography + href: policy-csp-cryptography.md + - name: DataProtection + href: policy-csp-dataprotection.md + - name: DataUsage + href: policy-csp-datausage.md + - name: Defender + href: policy-csp-defender.md + - name: DeliveryOptimization + href: policy-csp-deliveryoptimization.md + - name: Desktop + href: policy-csp-desktop.md + - name: DeviceGuard + href: policy-csp-deviceguard.md + - name: DeviceHealthMonitoring + href: policy-csp-devicehealthmonitoring.md + - name: DeviceInstallation + href: policy-csp-deviceinstallation.md + - name: DeviceLock + href: policy-csp-devicelock.md + - name: Display + href: policy-csp-display.md + - name: DmaGuard + href: policy-csp-dmaguard.md + - name: EAP + href: policy-csp-eap.md + - name: Education + href: policy-csp-education.md + - name: EnterpriseCloudPrint + href: policy-csp-enterprisecloudprint.md + - name: ErrorReporting + href: policy-csp-errorreporting.md + - name: EventLogService + href: policy-csp-eventlogservice.md + - name: Experience + href: policy-csp-experience.md + - name: ExploitGuard + href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md + - name: FileExplorer + href: policy-csp-fileexplorer.md + - name: Games + href: policy-csp-games.md + - name: Handwriting + href: policy-csp-handwriting.md + - name: HumanPresence + href: policy-csp-humanpresence.md + - name: InternetExplorer + href: policy-csp-internetexplorer.md + - name: Kerberos + href: policy-csp-kerberos.md + - name: KioskBrowser + href: policy-csp-kioskbrowser.md + - name: LanmanWorkstation + href: policy-csp-lanmanworkstation.md + - name: Licensing + href: policy-csp-licensing.md + - name: LocalPoliciesSecurityOptions + href: policy-csp-localpoliciessecurityoptions.md + - name: LocalUsersAndGroups + href: policy-csp-localusersandgroups.md + - name: LockDown + href: policy-csp-lockdown.md + - name: Maps + href: policy-csp-maps.md + - name: MemoryDump + href: policy-csp-memorydump.md + - name: Messaging + href: policy-csp-messaging.md + - name: MixedReality + href: policy-csp-mixedreality.md + - name: MSSecurityGuide + href: policy-csp-mssecurityguide.md + - name: MSSLegacy + href: policy-csp-msslegacy.md + - name: Multitasking + href: policy-csp-multitasking.md + - name: NetworkIsolation + href: policy-csp-networkisolation.md + - name: NetworkListManager + href: policy-csp-networklistmanager.md + - name: NewsAndInterests + href: policy-csp-newsandinterests.md + - name: Notifications + href: policy-csp-notifications.md + - name: Power + href: policy-csp-power.md + - name: Printers + href: policy-csp-printers.md + - name: Privacy + href: policy-csp-privacy.md + - name: RemoteAssistance + href: policy-csp-remoteassistance.md + - name: RemoteDesktop + href: policy-csp-remotedesktop.md + - name: RemoteDesktopServices + href: policy-csp-remotedesktopservices.md + - name: RemoteManagement + href: policy-csp-remotemanagement.md + - name: RemoteProcedureCall + href: policy-csp-remoteprocedurecall.md + - name: RemoteShell + href: policy-csp-remoteshell.md + - name: RestrictedGroups + href: policy-csp-restrictedgroups.md + - name: Search + href: policy-csp-search.md + - name: Security + href: policy-csp-security.md + - name: ServiceControlManager + href: policy-csp-servicecontrolmanager.md + - name: Settings + href: policy-csp-settings.md + - name: Speech + href: policy-csp-speech.md + - name: Start + href: policy-csp-start.md + - name: Storage + href: policy-csp-storage.md + - name: System + href: policy-csp-system.md + - name: SystemServices + href: policy-csp-systemservices.md + - name: TaskManager + href: policy-csp-taskmanager.md + - name: TaskScheduler + href: policy-csp-taskscheduler.md + - name: TextInput + href: policy-csp-textinput.md + - name: TimeLanguageSettings + href: policy-csp-timelanguagesettings.md + - name: Troubleshooting + href: policy-csp-troubleshooting.md + - name: Update + href: policy-csp-update.md + - name: UserRights + href: policy-csp-userrights.md + - name: VirtualizationBasedTechnology + href: policy-csp-virtualizationbasedtechnology.md + - name: Wifi + href: policy-csp-wifi.md + - name: WindowsAutoPilot + href: policy-csp-windowsautopilot.md + - name: WindowsConnectionManager + href: policy-csp-windowsconnectionmanager.md + - name: WindowsDefenderSecurityCenter + href: policy-csp-windowsdefendersecuritycenter.md + - name: WindowsDefenderSmartScreen + href: policy-csp-smartscreen.md + - name: WindowsInkWorkspace + href: policy-csp-windowsinkworkspace.md + - name: WindowsLogon + href: policy-csp-windowslogon.md + - name: WindowsPowerShell + href: policy-csp-windowspowershell.md + - name: WindowsSandbox + href: policy-csp-windowssandbox.md + - name: WirelessDisplay + href: policy-csp-wirelessdisplay.md + - name: Provisioning CSP + href: provisioning-csp.md + - name: PXLOGICAL CSP + href: pxlogical-csp.md + - name: Reboot CSP + href: reboot-csp.md + items: + - name: Reboot DDF file + href: reboot-ddf-file.md + - name: RemoteFind CSP + href: remotefind-csp.md + items: + - name: RemoteFind DDF file + href: remotefind-ddf-file.md + - name: RemoteWipe CSP + href: remotewipe-csp.md + items: + - name: RemoteWipe DDF file + href: remotewipe-ddf-file.md + - name: Reporting CSP + href: reporting-csp.md + items: + - name: Reporting DDF file + href: reporting-ddf-file.md + - name: RootCATrustedCertificates CSP + href: rootcacertificates-csp.md + items: + - name: RootCATrustedCertificates DDF file + href: rootcacertificates-ddf-file.md + - name: SecureAssessment CSP + href: secureassessment-csp.md + items: + - name: SecureAssessment DDF file + href: secureassessment-ddf-file.md + - name: SecurityPolicy CSP + href: securitypolicy-csp.md + - name: SharedPC CSP + href: sharedpc-csp.md + items: + - name: SharedPC DDF file + href: sharedpc-ddf-file.md + - name: Storage CSP + href: storage-csp.md + items: + - name: Storage DDF file + href: storage-ddf-file.md + - name: SUPL CSP + href: supl-csp.md + items: + - name: SUPL DDF file + href: supl-ddf-file.md + - name: SurfaceHub CSP + href: surfacehub-csp.md + items: + - name: SurfaceHub DDF file + href: surfacehub-ddf-file.md + - name: TenantLockdown CSP + href: tenantlockdown-csp.md + items: + - name: TenantLockdown DDF file + href: tenantlockdown-ddf.md + - name: TPMPolicy CSP + href: tpmpolicy-csp.md + items: + - name: TPMPolicy DDF file + href: tpmpolicy-ddf-file.md + - name: UEFI CSP + href: uefi-csp.md + items: + - name: UEFI DDF file + href: uefi-ddf.md + - name: UnifiedWriteFilter CSP + href: unifiedwritefilter-csp.md + items: + - name: UnifiedWriteFilter DDF file + href: unifiedwritefilter-ddf.md + - name: UniversalPrint CSP + href: universalprint-csp.md + items: + - name: UniversalPrint DDF file + href: universalprint-ddf-file.md + - name: Update CSP + href: update-csp.md + items: + - name: Update DDF file + href: update-ddf-file.md + - name: VPN CSP + href: vpn-csp.md + items: + - name: VPN DDF file + href: vpn-ddf-file.md + - name: VPNv2 CSP + href: vpnv2-csp.md + items: + - name: VPNv2 DDF file + href: vpnv2-ddf-file.md + - name: ProfileXML XSD + href: vpnv2-profile-xsd.md + - name: EAP configuration + href: eap-configuration.md + - name: w4 APPLICATION CSP + href: w4-application-csp.md + - name: w7 APPLICATION CSP + href: w7-application-csp.md + - name: WiFi CSP + href: wifi-csp.md + items: + - name: WiFi DDF file + href: wifi-ddf-file.md + - name: Win32AppInventory CSP + href: win32appinventory-csp.md + items: + - name: Win32AppInventory DDF file + href: win32appinventory-ddf-file.md + - name: Win32CompatibilityAppraiser CSP + href: win32compatibilityappraiser-csp.md + items: + - name: Win32CompatibilityAppraiser DDF file + href: win32compatibilityappraiser-ddf.md + - name: WindowsAdvancedThreatProtection CSP + href: windowsadvancedthreatprotection-csp.md + items: + - name: WindowsAdvancedThreatProtection DDF file + href: windowsadvancedthreatprotection-ddf.md + - name: WindowsAutopilot CSP + href: windowsautopilot-csp.md + items: + - name: WindowsAutopilot DDF file + href: windowsautopilot-ddf-file.md + - name: WindowsDefenderApplicationGuard CSP + href: windowsdefenderapplicationguard-csp.md + items: + - name: WindowsDefenderApplicationGuard DDF file + href: windowsdefenderapplicationguard-ddf-file.md + - name: WindowsLicensing CSP + href: windowslicensing-csp.md + items: + - name: WindowsLicensing DDF file + href: windowslicensing-ddf-file.md + - name: WiredNetwork CSP + href: wirednetwork-csp.md + items: + - name: WiredNetwork DDF file + href: wirednetwork-ddf-file.md diff --git a/windows/security/index.yml b/windows/security/index.yml index 1c56c04c1c..2fedb0e205 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -16,7 +16,7 @@ metadata: ms.author: dansimp #Required; microsoft alias of author; optional team alias. ms.date: 09/20/2021 localization_priority: Priority - + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: From 63dc183c67c9cb5625125ecc2478dffd75a67a98 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:14:20 -0400 Subject: [PATCH 36/77] Update parent toc --- windows/client-management/toc.yml | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 92e5722e04..d856948d89 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -1,7 +1,7 @@ items: - name: Windows client management href: index.yml - items: + items: - name: Client management tools and settings items: - name: Windows Tools/Administrative Tools @@ -29,30 +29,30 @@ items: - name: Windows libraries href: windows-libraries.md - name: Mobile device management (MDM) - items: - - name: Mobile Device Management - href: mdm/index.md + items: + - name: Mobile Device Management + href: mdm/index.yml - name: Configuration Service Provider (CSP) - items: - - name: CSP reference + items: + - name: CSP reference href: mdm/configuration-service-provider-reference.md - name: Troubleshoot Windows clients - items: - - name: Windows 10 support solutions + items: + - name: Windows 10 support solutions href: windows-10-support-solutions.md - name: Advanced troubleshooting for Windows networking href: troubleshoot-networking.md - items: + items: - name: Advanced troubleshooting Wireless network connectivity href: advanced-troubleshooting-wireless-network-connectivity.md - name: Advanced troubleshooting 802.1X authentication href: advanced-troubleshooting-802-authentication.md - items: + items: - name: Data collection for troubleshooting 802.1X authentication href: data-collection-for-802-authentication.md - name: Advanced troubleshooting for TCP/IP href: troubleshoot-tcpip.md - items: + items: - name: Collect data using Network Monitor href: troubleshoot-tcpip-netmon.md - name: "Part 1: TCP/IP performance overview" @@ -60,7 +60,7 @@ items: - name: "Part 2: TCP/IP performance underlying network issues" href: /troubleshoot/windows-server/networking/troubleshooting-tcpip-performance-underlying-network - name: "Part 3: TCP/IP performance known issues" - href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues + href: /troubleshoot/windows-server/networking/tcpip-performance-known-issues - name: Troubleshoot TCP/IP connectivity href: troubleshoot-tcpip-connectivity.md - name: Troubleshoot port exhaustion @@ -69,7 +69,7 @@ items: href: troubleshoot-tcpip-rpc-errors.md - name: Advanced troubleshooting for Windows startup href: troubleshoot-windows-startup.md - items: + items: - name: How to determine the appropriate page file size for 64-bit versions of Windows href: determine-appropriate-page-file-size.md - name: Generate a kernel or complete crash dump From 54f7ca7fa9e12ae818d084c5cb6129558a62c255 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:19:23 -0400 Subject: [PATCH 37/77] Fix links --- windows/client-management/index.yml | 4 ++-- .../mdm/change-history-for-mdm-documentation.md | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/client-management/index.yml b/windows/client-management/index.yml index 2bb8db6fd8..4dd2469b3f 100644 --- a/windows/client-management/index.yml +++ b/windows/client-management/index.yml @@ -18,7 +18,7 @@ metadata: manager: dougeby ms.date: 03/28/2022 #Required; mm/dd/yyyy format. localization_priority: medium - + # linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new landingContent: @@ -34,7 +34,7 @@ landingContent: - text: Create mandatory user profiles url: mandatory-user-profile.md - text: Mobile device management (MDM) - url: mdm/index.md + url: mdm/index.yml - text: MDM for device updates url: mdm/device-update-management.md - text: Mobile device enrollment diff --git a/windows/client-management/mdm/change-history-for-mdm-documentation.md b/windows/client-management/mdm/change-history-for-mdm-documentation.md index 5eb147ea0c..335e7119ac 100644 --- a/windows/client-management/mdm/change-history-for-mdm-documentation.md +++ b/windows/client-management/mdm/change-history-for-mdm-documentation.md @@ -3,7 +3,7 @@ title: Change history for MDM documentation description: This article lists new and updated articles for Mobile Device Management. author: aczechowski ms.author: aaroncz -ms.reviewer: +ms.reviewer: manager: dougeby ms.topic: article ms.prod: w10 @@ -60,7 +60,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |New or updated article | Description| |--- | ---| |[BitLocker CSP](bitlocker-csp.md)|Added the bitmask table for the Status/DeviceEncryptionStatus node.| -|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. +|[Policy CSP - RestrictedGroups](policy-csp-restrictedgroups.md)| Updated the topic with more details. Added policy timeline table. ## February 2020 @@ -162,7 +162,7 @@ This article lists new and updated articles for the Mobile Device Management (MD |--- | ---| |[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.| |[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.| -|[Mobile device management](index.md)|Updated information about MDM Security Baseline.| +|[Mobile device management](index.yml)|Updated information about MDM Security Baseline.| ## December 2018 From d23f6cc7f240b491671006d218245e8b65612426 Mon Sep 17 00:00:00 2001 From: Stephanie Savell <101299710+v-stsavell@users.noreply.github.com> Date: Thu, 4 Aug 2022 11:29:04 -0500 Subject: [PATCH 38/77] Update windows/configuration/guidelines-for-assigned-access-app.md --- windows/configuration/guidelines-for-assigned-access-app.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md index 15ad98c12b..04f81753d3 100644 --- a/windows/configuration/guidelines-for-assigned-access-app.md +++ b/windows/configuration/guidelines-for-assigned-access-app.md @@ -138,7 +138,7 @@ The following table gives examples for blocked URLs. | `*:8080` | Blocks all requests to port 8080. | | `contoso.com/stuff` | Blocks all requests to contoso.com/stuff and its subdomains. | | `192.168.1.2` | Blocks requests to 192.168.1.2. | -| `youtube.com/watch?v=V1` | Blocks Youtube video with id V1. | +| `youtube.com/watch?v=V1` | Blocks YouTube video with id V1. | ### Other browsers From beef84c3cb8930fd1b6b8a501c8ee069a39315c0 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Thu, 28 Apr 2022 11:50:23 +0530 Subject: [PATCH 39/77] Acrolinx enhancement --- .../ue-v/uev-administering-uev.md | 2 +- ...v-application-template-schema-reference.md | 68 +++++++++---------- ...anging-the-frequency-of-scheduled-tasks.md | 28 ++++---- ...ith-system-center-configuration-manager.md | 12 ++-- .../ue-v/uev-deploy-required-features.md | 10 +-- .../uev-deploy-uev-for-custom-applications.md | 18 ++--- ...anage-administrative-backup-and-restore.md | 10 +-- ...ackages-with-windows-powershell-and-wmi.md | 6 +- .../ue-v/uev-migrating-settings-packages.md | 2 +- .../ue-v/uev-prepare-for-deployment.md | 48 ++++++------- 10 files changed, 102 insertions(+), 102 deletions(-) diff --git a/windows/configuration/ue-v/uev-administering-uev.md b/windows/configuration/ue-v/uev-administering-uev.md index 7bf2b82260..0a76ddcdb0 100644 --- a/windows/configuration/ue-v/uev-administering-uev.md +++ b/windows/configuration/ue-v/uev-administering-uev.md @@ -34,7 +34,7 @@ This topic explains how to use the UE-V template generator and manage custom set ## Back up and restore application and Windows settings that are synchronized with UE-V -Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore additional settings when a user adopts a new device. +Windows Management Instrumentation (WMI) and Windows PowerShell features of UE-V allow you to restore settings packages. By using WMI and Windows PowerShell commands, you can restore application and Windows settings to their original state and restore other settings when a user adopts a new device. [Manage Administrative Backup and Restore in UE-V](uev-manage-administrative-backup-and-restore.md) diff --git a/windows/configuration/ue-v/uev-application-template-schema-reference.md b/windows/configuration/ue-v/uev-application-template-schema-reference.md index 039d7669a1..3a98106d0c 100644 --- a/windows/configuration/ue-v/uev-application-template-schema-reference.md +++ b/windows/configuration/ue-v/uev-application-template-schema-reference.md @@ -56,7 +56,7 @@ This section details the XML structure of the UE-V settings location template an **Type: String** -The XML declaration must specify the XML version 1.0 attribute (<?xml version="1.0">). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding is not explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example: +The XML declaration must specify the XML version 1.0 attribute (<?xml version="1.0">). Settings location templates created by the UE-V template generator are saved in UTF-8 encoding, although the encoding isn't explicitly specified. We recommend that you include the encoding="UTF-8" attribute in this element as a best practice. All templates included with the product specify this tag as well (see the documents in %ProgramFiles%\\Microsoft User Experience Virtualization\\Templates for reference). For example: `` @@ -74,22 +74,22 @@ UE-V uses the `https://schemas.microsoft.com/UserExperienceVirtualization/2012/S ### Data types -These are the data types for the UE-V application template schema. +These data types are the ones for the UE-V application template schema. **GUID** -GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. +GUID describes a standard globally unique identifier regular expression in the form "\\{\[a-fA-F0-9\]{8}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{4}-\[a-fA-F0-9\]{12}\\}". This GUID is used in the Filesetting\\Root\\KnownFolder element to verify the formatting of well-known folders. **FilenameString** FilenameString refers to the file name of a process to be monitored. Its values are restricted by the regex \[^\\\\\\?\\\*\\|<>/:\]+, (that is, they may not contain backslash characters, asterisk or question mark wild-card characters, the pipe character, the greater than or less than sign, forward slash, or colon characters). **IDString** -IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It is restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). +IDString refers to the ID value of Application elements, SettingsLocationTemplate, and Common elements (used to describe application suites that share common settings). It's restricted by the same regex as FilenameString (\[^\\\\\\?\\\*\\|<>/:\]+). **TemplateVersion** TemplateVersion is an integer value used to describe the revision of the settings location template. Its value may range from 0 to 2147483647. **Empty** -Empty refers to a null value. This is used in Process\\ShellProcess to indicate that there is no process to monitor. This value should not be used in any application templates. +Empty refers to a null value. This data type is used in Process\\ShellProcess to indicate that there's no process to monitor. This value shouldn't be used in any application templates. **Author** The Author data type is a complex type that identifies the author of a template. It contains two child elements: **Name** and **Email**. Within the Author data type, the Name element is mandatory while the Email element is optional. This type is described in more detail under the SettingsLocationTemplate element. @@ -121,9 +121,9 @@ The Processes data type represents a container for a collection of one or more P **Path** Path is consumed by RegistrySetting and FileSetting to refer to registry and file paths. This element supports two optional attributes: **Recursive** and **DeleteIfNotFound**. Both values are set to default="False". -Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders are not included. For registry paths, all values in the current path are captured but child registry keys are not captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. +Recursive indicates that the path and all subfolders are included for file settings or that all child registry keys are included for registry settings. In both cases, all items at the current level are included in the data captured. For a FileSettings object, all files within the specified folder are included in the data captured by UE-V but folders aren't included. For registry paths, all values in the current path are captured but child registry keys aren't captured. In both cases, care should be taken to avoid capturing large data sets or large numbers of items. -The DeleteIfNotFound attribute removes the setting from the user's settings storage path data. This may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. +The DeleteIfNotFound attribute removes the setting from the user’s settings storage path data. This removal may be desirable in cases where removing these settings from the package will save a large amount of disk space on the settings storage path file server. **FileMask** FileMask specifies only certain file types for the folder that is defined by Path. For example, Path might be `C:\users\username\files` and FileMask could be `*.txt` to include only text files. @@ -139,8 +139,8 @@ Settings is a container for all the settings that apply to a particular template |Element|Description| |--- |--- | -|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This is useful for settings that can be applied asynchronously, such as those get/set through an API, like SystemParameterSetting.| -|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to 'false', UE-V exports the settings even if other instances of an application are running. Suited templates - those that include a Common element section- that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| +|Asynchronous|Asynchronous settings packages are applied without blocking the application startup so that the application start proceeds while the settings are still being applied. This element is useful for settings that can be applied asynchronously, such as those settings get/set through an API, like SystemParameterSetting.| +|PreventOverlappingSynchronization|By default, UE-V only saves settings for an application when the last instance of an application using the template is closed. When this element is set to ‘false’, UE-V exports the settings even if other instances of an application are running. Suited templates – those templates that include a Common element section– that are shipped with UE-V use this flag to enable shared settings to always export on application close, while preventing application-specific settings from exporting until the last instance is closed.| |AlwaysApplySettings|This parameter forces an imported settings package to be applied even if there are no differences between the package and the current state of the application. This parameter should be used only in special cases since it can slow down settings import.| ### Name Element @@ -149,10 +149,10 @@ Settings is a container for all the settings that apply to a particular template **Type: String** -Name specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this can be objected from the ProductVersion element. For example, specify `My Application` rather than `My Application 1.1`. +Name specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. In general, avoid referencing version information, as this referencing can be objected from the ProductVersion element. For example, specify `My Application` rather than `My Application 1.1`. > [!NOTE] -> UE-V does not reference external DTDs, so it is not possible to use named entities in a settings location template. For example, do not use ® to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document. +> UE-V does not reference external DTDs, so it's not possible to use named entities in a settings location template. For example, do not use ® to refer to the registered trade mark sign ®. Instead, use canonical numbered references to include these types of special characters, for example, &\#174 for the ® character. This rule applies to all string values in this document. See for a complete list of character entities. UTF-8-encoded documents may include the Unicode characters directly. Saving templates through the UE-V template generator converts character entities to their Unicode representations automatically. @@ -164,7 +164,7 @@ See for a complete list of character ent **Type: String** -ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag should not contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `MicrosoftOffice2016Win64`. +ID populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime (for example, see the output of the Get-UevTemplate and Get-UevTemplateProgram PowerShell cmdlets). By convention, this tag shouldn't contain any spaces, which simplifies scripting. Version numbers of applications should be specified in this element to allow for easy identification of the template, such as `MicrosoftOffice2016Win64`. ### Version Element @@ -176,7 +176,7 @@ ID populates a unique identifier for a particular template. This tag becomes the **Maximum Value: 2147483647** -Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `2.5` are not allowed. +Version identifies the version of the settings location template for administrative tracking of changes. The UE-V template generator automatically increments this number by one each time the template is saved. Notice that this field must be a whole number integer; fractional values, such as `2.5` aren't allowed. > [!TIP] > You can save notes about version changes using XML comment tags ``, for example: @@ -218,7 +218,7 @@ Author identifies the creator of the settings location template. Two optional ch **Type: Element** -Processes contains at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: +Processes contain at least one `` element, which in turn contains the following child elements: **Filename**, **Architecture**, **ProductName**, **FileDescription**, **ProductVersion**, and **FileVersion**. The Filename child element is mandatory and the others are optional. A fully populated element contains tags similar to this example: ```xml @@ -271,7 +271,7 @@ A value of **True** indicates that the string contains illegal characters. Here -In rare circumstances, the FileName value will not necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example will not apply the template to the process if the actual name of the executable file is "MyApplication.exe". +In rare circumstances, the FileName value won't necessarily include the .exe extension, but it should be specified as part of the value. For example, `MyApplication.exe` should be specified instead of `MyApplication`. The second example won't apply the template to the process if the actual name of the executable file is “MyApplication.exe”. ### Architecture @@ -279,9 +279,9 @@ In rare circumstances, the FileName value will not necessarily include the .exe **Type: Architecture (String)** -Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another. +Architecture refers to the processor architecture for which the target executable was compiled. Valid values are Win32 for 32-bit applications or Win64 for 64-bit applications. If present, this tag limits the applicability of the settings location template to a particular application architecture. For an example of this applicability restriction, compare the %ProgramFiles%\\Microsoft User Experience Virtualization\\templates\\ MicrosoftOffice2016Win32.xml and MicrosoftOffice2016Win64.xml files included with UE-V. This applicability restriction is useful when relative paths change between different versions of an executable or if settings have been added or removed when moving from one processor architecture to another. -If this element is absent, the settings location template ignores the process' architecture and applies to both 32 and 64-bit processes if the file name and other attributes apply. +If this element is absent, the settings location template ignores the process’ architecture and applies to both 32-bit and 64-bit processes if the file name and other attributes apply. > [!NOTE] > UE-V does not support ARM processors in this version. @@ -294,7 +294,7 @@ If this element is absent, the settings location template ignores the process' a **Type: String** -ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: +ProductName is an optional element used to identify a product for administrative purposes or reporting. ProductName differs from Filename in that there are no regular expression restrictions on its value. This flexibility allows for more easily understood descriptions of a process where the executable name may not be obvious. For example: ```xml @@ -312,7 +312,7 @@ ProductName is an optional element used to identify a product for administrative **Type: String** -FileDescription is an optional tag that allows for an administrative description of the executable file. This is a free text field and can be useful in distinguishing multiple executables within a software package where there is a need to identify the function of the executable. +FileDescription is an optional tag that allows for an administrative description of the executable file. This tag is a free text field and can be useful in distinguishing multiple executables within a software package where there's a need to identify the function of the executable. For example, in a suited application, it might be useful to provide reminders about the function of two executables (MyApplication.exe and MyApplicationHelper.exe), as shown here: @@ -396,13 +396,13 @@ Only the Minor element is present. Major must be included as well. **Type: String** -FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For the majority of commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the case of a hotfix or update). This uniquely identifies files without breaking detection logic. +FileVersion differentiates between the release version of a published application and the internal build details of a component executable. For most of the commercial applications, these numbers are identical. Where they vary, the product version of a file indicates a generic version identification of a file, while file version indicates a specific build of a file (as in the example of a hotfix or update). This file version uniquely identifies files without breaking detection logic. To determine the product version and file version of a particular executable, right-click on the file in Windows Explorer, select Properties, then click on the Details tab. -Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but is not necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply. +Including a FileVersion element for an application allows for more granular fine-tuning detection logic, but isn't necessary for most applications. The ProductVersion element settings are checked first, and then FileVersion is checked. The more restrictive setting will apply. -The child elements and syntax rules for FileVersion are identical to those of ProductVersion. +The child elements and syntax rules for FileVersion are identical to those elements and rules of ProductVersion. ```xml @@ -421,38 +421,38 @@ The child elements and syntax rules for FileVersion are identical to those of Pr ### Application Element -Application is a container for settings that apply to a particular application. It is a collection of the following fields/types. +Application is a container for settings that apply to a particular application. It's a collection of the following fields/types. |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| |Processes|A container for a collection of one or more Process elements. For more information, see [Processes](#processes21).| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21)".| ### Common Element -Common is similar to an Application element, but it is always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It is a collection of the following fields/types. +Common is similar to an Application element, but it's always associated with two or more Application elements. The Common section represents the set of settings that are shared between those Application instances. It's a collection of the following fields/types. |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This name is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| |LocalizedDescriptions|An optional template description localized by a language locale.| |Version|Identifies the version of the settings location template for administrative tracking of changes. For more information, see [Version](#version21).| -|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If Microsoft account syncing is enabled for a user on a machine, then this template will automatically be disabled.| -|DeferToOffice365|Similar to Microsoft account, this controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| -|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and cannot be changed via WMI or PowerShell.| +|DeferToMSAccount|Controls whether this template is enabled in conjunction with a Microsoft account or not. If MSA syncing is enabled for a user on a machine, then this template will automatically be disabled.| +|DeferToOffice365|Similar to MSA, this type controls whether this template is enabled in conjunction with Office365. If Office 365 is being used to sync settings, this template will automatically be disabled.| +|FixedProfile|Specifies that this template can only be associated with the profile specified within this element, and can't be changed via WMI or PowerShell.| |Settings|A container for all the settings that apply to a particular template. It contains instances of the Registry, File, SystemParameter, and CustomAction settings. For more information, see **Settings** in [Data types](#data21).| ### SettingsLocationTemplate Element @@ -461,7 +461,7 @@ This element defines the settings for a single application or a suite of applica |Field/Type|Description| |--- |--- | -|Name|Specifies a unique name for the settings location template. This is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| +|Name|Specifies a unique name for the settings location template. This type is used for display purposes when referencing the template in WMI, PowerShell, Event Viewer and debug logs. For more information, see [Name](#name21).| |ID|Populates a unique identifier for a particular template. This tag becomes the primary identifier that the UE-V service uses to reference the template at runtime. For more information, see [ID](#id21).| |Description|An optional description of the template.| |LocalizedNames|An optional name displayed in the UI, localized by a language locale.| @@ -470,7 +470,7 @@ This element defines the settings for a single application or a suite of applica ### Appendix: SettingsLocationTemplate.xsd -Here is the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters: +Here's the SettingsLocationTemplate.xsd file showing its elements, child elements, attributes, and parameters: ```xml diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md index 61ca2b8c88..f9a1b5f123 100644 --- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md +++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md @@ -28,7 +28,7 @@ When the User Experience Virtualization (UE-V) service is enabled, it creates th > [!NOTE] > These tasks must remain enabled, because UE-V cannot function without them. -These scheduled tasks are not configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options. +These scheduled tasks aren't configurable with the UE-V tools. Administrators who want to change the scheduled task for these items can create a script that uses the Schtasks.exe command-line options. For more information about Schtasks.exe, see [Schtasks](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc725744(v=ws.11)). @@ -38,11 +38,11 @@ The following scheduled tasks are included in UE-V with sample scheduled task co ### Monitor Application Settings -The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It is runs at logon but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory. +The **Monitor Application Settings** task is used to synchronize settings for Windows apps. It's runs at sign in but is delayed by 30 seconds to not affect the logon detrimentally. The Monitor Application Status task runs the UevAppMonitor.exe file, which is located in the UE-V Agent installation directory. |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Monitor Application Status|Logon| +|\Microsoft\UE-V\Monitor Application Status|Sign in| ### Sync Controller Application @@ -50,7 +50,7 @@ The **Sync Controller Application** task is used to start the Sync Controller to |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Sync Controller Application|Logon, and every 30 minutes thereafter| +|\Microsoft\UE-V\Sync Controller Application|Sign in, and every 30 minutes thereafter| For example, the following command configures the agent to synchronize settings every 15 minutes instead of the default 30 minutes. @@ -60,11 +60,11 @@ Schtasks /change /tn “Microsoft\UE-V\Sync Controller Application” /ri 15 ### Synchronize Settings at Logoff -The **Synchronize Settings at Logoff** task is used to start an application at logon that controls the synchronization of applications at logoff for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory. +The **Synchronize Settings at Logoff** task is used to start an application at sign in that controls the synchronization of applications at sign out for UE-V. The Synchronize Settings at Logoff task runs the Microsoft.Uev.SyncController.exe file, which is located in the UE-V Agent installation directory. |Task name|Default event| |--- |--- | -|\Microsoft\UE-V\Synchronize Settings at Logoff|Logon| +|\Microsoft\UE-V\Synchronize Settings at Logoff|Sign in| ### Template Auto Update @@ -88,22 +88,22 @@ The following chart provides additional information about scheduled tasks for UE |Task Name (file name)|Default Frequency|Power Toggle|Idle Only|Network Connection|Description| |--- |--- |--- |--- |--- |--- | -|**Monitor Application Settings** (UevAppMonitor.exe)|Starts 30 seconds after logon and continues until logoff.|No|Yes|N/A|Synchronizes settings for Windows (AppX) apps.| -|**Sync Controller Application** (Microsoft.Uev.SyncController.exe)|At logon and every 30 min thereafter.|Yes|Yes|Only if Network is connected|Starts the Sync Controller which synchronizes local settings with the settings storage location.| -|**Synchronize Settings at Logoff** (Microsoft.Uev.SyncController.exe)|Runs at logon and then waits for Logoff to Synchronize settings.|No|Yes|N/A|Start an application at logon that controls the synchronization of applications at logoff.| -|**Template Auto Update** (ApplySettingsCatalog.exe)|Runs at initial logon and at 3:30 AM every day thereafter.|Yes|No|N/A|Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.| +|**Monitor Application Settings** (UevAppMonitor.exe)|Starts 30 seconds after sign in and continues until sign out.|No|Yes|N/A|Synchronizes settings for Windows (AppX) apps.| +|**Sync Controller Application** (Microsoft.Uev.SyncController.exe)|At sign in and every 30 min thereafter.|Yes|Yes|Only if Network is connected|Starts the Sync Controller that synchronizes local settings with the settings storage location.| +|**Synchronize Settings at Logoff** (Microsoft.Uev.SyncController.exe)|Runs at sign in and then waits for sign out to Synchronize settings.|No|Yes|N/A|Start an application at sign in that controls the synchronization of applications at sign out.| +|**Template Auto Update** (ApplySettingsCatalog.exe)|Runs at initial sign in and at 3:30 AM every day thereafter.|Yes|No|N/A|Checks the settings template catalog for new, updated, or removed templates. This task only runs if SettingsTemplateCatalog is configured.| **Legend** - **Power Toggle** – Task Scheduler will optimize power consumption when not connected to AC power. The task might stop running if the computer switches to battery power. -- **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task will not restart when the computer is idle again. Instead the task will begin again on the next task trigger. +- **Idle Only** – The task will stop running if the computer ceases to be idle. By default the task won't restart when the computer is idle again. Instead the task will begin again on the next task trigger. - **Network Connection** – Tasks marked “Yes” only run if the computer has a network connection available. Tasks marked “N/A” run regardless of network connectivity. ### How to Manage Scheduled Tasks -To find Scheduled Tasks, perform the following: +To find Scheduled Tasks, perform the following steps: 1. Open “Schedule Tasks” on the user computer. @@ -117,9 +117,9 @@ The following additional information applies to UE-V scheduled tasks: - All task sequence programs are located in the UE-V Agent installation folder, `%programFiles%\Microsoft User Experience Virtualization\Agent\[architecture]\`, by default. -- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings do not synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30 min default to a higher amount if necessary. +- The Sync Controller Application Scheduled task is the crucial component when the UE-V SyncMethod is set to “SyncProvider” (UE-V default configuration). This scheduled task keeps the SettingsSToragePath synchronized with the locally cached versions of the settings package files. If users complain that settings don't synchronize often enough, then you can reduce the scheduled task setting to as little as 1 minute.  You can also increase the 30-min default to a higher amount if necessary. -- You do not need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (i.e. Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. +- You don't need to disable the Template Auto Update scheduled task if you use another method to keep the clients’ templates in sync (that is, Group Policy or Configuration Manager Baselines). Leaving the SettingsTemplateCatalog property value blank prevents UE-V from checking the settings catalog for custom templates. This scheduled task runs ApplySettingsCatalog.exe and will essentially return immediately. - The Monitor Application Settings scheduled task will update Windows app (AppX) settings in real time, based on Windows app program setting triggers built into each app. diff --git a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md index b8e6955c3d..4377246f93 100644 --- a/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md +++ b/windows/configuration/ue-v/uev-configuring-uev-with-system-center-configuration-manager.md @@ -34,7 +34,7 @@ The UE-V Configuration Pack includes tools to: |Configuration|Setting|Description| |--- |--- |--- | |Max package size|Enable/disable Windows app sync|Wait for sync on application start| - |Setting import delay|Sync unlisted Windows apps|Wait for sync on logon| + |Setting import delay|Sync unlisted Windows apps|Wait for sync on sign in| |Settings import notification|IT contact URL|Wait for sync timeout| |Settings storage path|IT contact descriptive text|Settings template catalog path| |Sync enablement|Tray icon enabled|Start/Stop UE-V agent service| @@ -87,7 +87,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Unmanaged** to have the configuration item left at its current state - Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values. + Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. **CurrentComputerUserPolicy** All UE-V user level settings. These entries override the machine settings for a user. The DesiredState attribute can be @@ -98,7 +98,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Unmanaged** to have the configuration item left at its current state - Do not remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you do not want Configuration Manager to alter current or default values. + Don't remove lines from this section. Instead, set the DesiredState to ‘Unmanaged’ if you don't want Configuration Manager to alter current or default values. **Services** Entries in this section control service operation. The default configuration file contains a single entry for the UevAgentService. The DesiredState attribute can be set to **Running** or **Stopped**. @@ -112,7 +112,7 @@ The UE-V service policy configuration item CAB file is created using the UevTemp - **Cleared** to have the entry removed from UE-V control - Additional lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. + More lines can be added to this section based on the list of installed Windows apps that can be viewed using the PowerShell cmdlet GetAppxPackage. **Windows8AppsCurrentComputerUserPolicy** Identical to the Windows8AppsComputerPolicy with settings that override machine settings for an individual user. @@ -159,9 +159,9 @@ The result is a baseline CAB file that is ready for import into Configuration Ma ### Create the First UE-V Template Baseline -1. Create a “master” set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they are pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates. +1. Create a “master” set of UE-V templates in a stable folder location visible to the machine running your ConfigMgr Admin Console. As templates are added or updated, this folder is where they're pulled for distribution. The initial list of templates can be copied from a machine with UE-V installed. The default template location is C:\\Program Files\\Microsoft User Experience Virtualization\\Templates. -2. Create a text.bat file where you can add the template generator command. This is optional, but will make regeneration simpler if you save the command parameters. +2. Create a text.bat file where you can add the template generator command. This step is optional, but will make regeneration simpler if you save the command parameters. 3. Add the command and parameters to the .bat file that will generate the baseline. The following example creates a baseline that distributes Notepad and Calculator: diff --git a/windows/configuration/ue-v/uev-deploy-required-features.md b/windows/configuration/ue-v/uev-deploy-required-features.md index b41463da76..efe3834122 100644 --- a/windows/configuration/ue-v/uev-deploy-required-features.md +++ b/windows/configuration/ue-v/uev-deploy-required-features.md @@ -1,6 +1,6 @@ --- title: Deploy required UE-V features -description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example a network share that stores and retrieves user settings. +description: Learn how to install and configure User Experience Virtualization (UE-V) features, for example, a network share that stores and retrieves user settings. author: aczechowski ms.prod: w10 ms.date: 04/19/2017 @@ -19,7 +19,7 @@ To get up and running with User Experience Virtualization (UE-V), install and co - [Deploy a settings storage location](#deploy-a-ue-v-settings-storage-location) that is accessible to end users. - This is a standard network share that stores and retrieves user settings. + This feature is a standard network share that stores and retrieves user settings. - [Choose the configuration method for UE-V](#choose-the-configuration-method-for-ue-v) @@ -85,10 +85,10 @@ The UE-V service dynamically creates a user-specific settings storage path, with | Creator/owner | Full control | Subfolders and files only | | Security group of UE-V users | List folder/read data, create folders/append data | This folder only | -With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users cannot access it. +With this configuration, the UE-V service creates and secures a Settingspackage folder while it runs in the context of the user, and grants each user permission to create folders for settings storage. Users receive full control to their Settingspackage folder while other users can't access it. **Note** -If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this additional security, specify this setting in the Windows Server Registry Editor: +If you create the settings storage share on a computer running a Windows Server operating system, configure UE-V to verify that either the local Administrators group or the current user is the owner of the folder where settings packages are stored. To enable this extra security, specify this setting in the Windows Server Registry Editor: 1. Add a **REG\_DWORD** registry key named **"RepositoryOwnerCheckEnabled"** to **HKEY\_LOCAL\_MACHINE\\Software\\Microsoft\\UEV\\Agent\\Configuration**. @@ -100,7 +100,7 @@ The UE-V service uses Active Directory (AD) by default if you don’t define a s ## Choose the Configuration Method for UE-V -You’ll need to decide which configuration method you'll use to manage UE-V after deployment since this will be the configuration method you use to deploy the UE-V Agent. Typically, this is the configuration method that you already use in your environment, such as Windows PowerShell or Configuration Manager. +You’ll need to decide which configuration method you'll use to manage UE-V after deployment since this configuration method is the one you'll use to deploy the UE-V Agent. Typically, this configuration method is the one that you already use in your environment, such as Windows PowerShell or Configuration Manager. You can configure UE-V before, during, or after you enable the UE-V service on user devices, depending on the configuration method that you use. diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md index fad99aed73..883ee35328 100644 --- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md +++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md @@ -15,9 +15,9 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those included in the default templates, you can create your own custom settings location templates with the UE-V template generator. +User Experience Virtualization (UE-V) uses XML files called ***settings location templates*** to monitor and synchronize application settings and Windows settings between user devices. By default, some settings location templates are included in UE-V. However, if you want to synchronize settings for desktop applications other than those settings included in the default templates, you can create your own custom settings location templates with the UE-V template generator. -After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (third-party, line-of-business, e.g.), you’ll need to deploy the features of UE-V described in this topic. +After you’ve reviewed [Prepare a UE-V Deployment](uev-prepare-for-deployment.md) and decided that you want to synchronize settings for custom applications (for example, third-party, line-of-business), you’ll need to deploy the features of UE-V described in this topic. To start, here are the main steps required to synchronize settings for custom applications: @@ -52,7 +52,7 @@ Before you start deploying the UE-V features that handle custom applications, re ### The UE-V template generator -Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator does not create settings location templates for the following types of applications: +Use the UE-V template generator to monitor, discover, and capture the locations where Win32 applications store settings. The template generator doesn't create settings location templates for the following types of applications: - Virtualized applications @@ -63,11 +63,11 @@ Use the UE-V template generator to monitor, discover, and capture the locations - Windows applications >**Note** -UE-V settings location templates cannot be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). +UE-V settings location templates can't be created from virtualized applications or Terminal Services applications. However, settings that are synchronized by using the templates can be applied to those applications. To create templates that support Virtual Desktop Infrastructure (VDI) and Terminal Services applications, open a version of the Windows Installer (.msi) package of the application by using the UE-V template generator. For more information about synchronizing settings for virtual applications, see [Using UE-V with virtual applications](uev-using-uev-with-application-virtualization-applications.md). -**Excluded Locations:** The discovery process excludes locations that commonly store application software files that do not synchronize settings well between user computers or computing environments. By default, these are excluded: +**Excluded Locations:** The discovery process excludes locations that commonly store application software files that don't synchronize settings well between user computers or computing environments. By default, these files are excluded: -- HKEY\_CURRENT\_USER registry keys and files to which the logged-on user cannot write values +- HKEY\_CURRENT\_USER registry keys and files to which the signed-in user can't write values - HKEY\_CURRENT\_USER registry keys and files that are associated with the core functionality of the Windows operating system @@ -83,7 +83,7 @@ If registry keys and files that are stored in excluded locations are required to ### Replace the default Microsoft templates -A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you will need to include the default templates with the custom templates in the settings template catalog. +A default group of settings location templates for common Microsoft applications and Windows settings is included with Windows 10, version 1607. If you customize these templates, or create settings location templates to synchronize settings for custom applications, the UE-V service can be configured to use a settings template catalog to store the templates. In this case, you'll need to include the default templates with the custom templates in the settings template catalog. >**Important** After you enable the UE-V service, you’ll need to register the settings location templates using the `Register-UevTemplate` cmdlet in Windows PowerShell. @@ -95,7 +95,7 @@ If there are customized templates in the settings template catalog that use the You can replace the default templates by using the UE-V Windows PowerShell features. To replace the default Microsoft template with Windows PowerShell, unregister all of the default Microsoft templates, and then register the customized templates. -Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages are not read by the UE-V service, but neither are they automatically deleted. +Old settings packages remain in the settings storage location even if you deploy new settings location templates for an application. These packages aren't read by the UE-V service, but neither are they automatically deleted. ### Install the UEV template generator @@ -209,7 +209,7 @@ Use the UE-V template generator to create settings location templates for line-o 11. Click **Close** to close the settings template wizard. Exit the UE-V template generator application. -12. After you have created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise. +12. After you've created the settings location template for an application, test the template. Deploy the template in a lab environment before you put it into production in the enterprise. See [Application template schema reference for UE-V](uev-application-template-schema-reference.md) for details about the XML structure of the UE-V settings location template and for guidance about editing these files. diff --git a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md index 1aa6e9f43e..60b4b6dd82 100644 --- a/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md +++ b/windows/configuration/ue-v/uev-manage-administrative-backup-and-restore.md @@ -15,7 +15,7 @@ ms.topic: article **Applies to** - Windows 10, version 1607 -As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore additional settings when a user adopts a new device. +As an administrator of User Experience Virtualization (UE-V), you can restore application and Windows settings to their original state. You can also restore more settings when a user adopts a new device. ## Restore Settings in UE-V when a User Adopts a New Device @@ -30,7 +30,7 @@ Set-UevTemplateProfile -ID -Profile - <backup> can either be Backup or Roaming -When replacing a user’s device, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. +When a user’s device is being replaced, UE-V automatically restores settings if the user’s domain, username, and device name all match. All synchronized and any backup data is restored on the device automatically. You can also use the Windows PowerShell cmdlet, Restore-UevBackup, to restore settings from a different device. To clone the settings packages for the new device, use the following cmdlet in Windows PowerShell: @@ -40,7 +40,7 @@ Restore-UevBackup -ComputerName where <ComputerName> is the computer name of the device. -Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings cannot be included in a roaming profile. +Templates such as the Office 2013 template that include many applications can either all be included in the roamed (default) or backed up profile. Individual apps in a template suite follow the group. Office 2013 in-box templates include both roaming and backup-only settings. Backup-only settings can't be included in a roaming profile. As part of the Backup/Restore feature, UE-V added **last known good (LKG)** to the options for rolling back to settings. In this release, you can roll back to either the original settings or LKG settings. The LKG settings let users roll back to an intermediate and stable point ahead of the pre-UE-V state of the settings. @@ -74,7 +74,7 @@ Templates designated BackupOnly include settings specific to that device that sh **Settings packages location within the Settings Storage Location template** -Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V does not clean up these directories. +Roaming Profile settings are stored on the settings storage location. Templates assigned to the Backup or the BackupOnly profile store their settings to the Settings Storage Location in a special Device name directory. Each device with templates in these profiles has its own device name. UE-V doesn't clean up these directories. **Backup trigger** @@ -123,7 +123,7 @@ WMI and Windows PowerShell commands let you restore application and Windows sett |`Invoke-WmiMethod -Namespace root\Microsoft\UEV -Class UserSettings -Name RestoreByTemplateId -ArgumentList `|Restores the user settings for an application or restores a group of Windows settings.| >[!NOTE] ->UE-V does not provide a settings rollback for Windows apps. +>UE-V doesn't provide a settings rollback for Windows apps. ## Related topics diff --git a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md index ab70b3209a..b6ebd53d9d 100644 --- a/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md +++ b/windows/configuration/ue-v/uev-managing-uev-agent-and-packages-with-windows-powershell-and-wmi.md @@ -41,8 +41,8 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m |`Set-UevConfiguration -Computer -DisableFirstUseNotification`|Configures the UE-V service to not display notification the first time that the service runs for all users on the computer.| |`Set-UevConfiguration -Computer -EnableSettingsImportNotify`|Configures the UE-V service to notify all users on the computer when settings synchronization is delayed.

    Use the DisableSettingsImportNotify parameter to disable notification.| |`Set-UevConfiguration -CurrentComputerUser -EnableSettingsImportNotify`|Configures the UE-V service to notify the current user when settings synchronization is delayed.

    Use the DisableSettingsImportNotify parameter to disable notification.| - |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| - |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that are not explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -Computer -EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for all users of the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| + |`Set-UevConfiguration -CurrentComputerUser - EnableSyncUnlistedWindows8Apps`|Configures the UE-V service to synchronize all Windows apps that aren't explicitly disabled by the Windows app list for the current user on the computer. For more information, see "Get-UevAppxPackage" in [Managing UE-V Settings Location Templates Using Windows PowerShell and WMI](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md).

    Use the DisableSyncUnlistedWindows8Apps parameter to configure the UE-V service to synchronize only Windows apps that are explicitly enabled by the Windows App List.| |`Set-UevConfiguration -Computer -DisableSync`|Disables UE-V for all the users on the computer.

    Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -CurrentComputerUser -DisableSync`|Disables UE-V for the current user on the computer.

    Use the EnableSync parameter to enable or re-enable.| |`Set-UevConfiguration -Computer -EnableTrayIcon`|Enables the UE-V icon in the notification area for all users of the computer.

    Use the DisableTrayIcon parameter to disable the icon.| @@ -97,7 +97,7 @@ You can use Windows Management Instrumentation (WMI) and Windows PowerShell to m |`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration`

    `$config. = `

    `$config.Put()`|Updates a specific per-computer setting. To clear the setting, use $null as the setting value.| |`$config = Get-WmiObject -Namespace root\Microsoft\UEV ComputerConfiguration`

    `$config. = `

    `$config.Put()`|Updates a specific per-user setting for all users of the computer. To clear the setting, use $null as the setting value.| -When you are finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations. +When you're finished configuring the UE-V service with WMI and Windows PowerShell, the defined configuration is stored in the registry in the following locations. `\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\UEV\Agent\Configuration` diff --git a/windows/configuration/ue-v/uev-migrating-settings-packages.md b/windows/configuration/ue-v/uev-migrating-settings-packages.md index eaa34a41eb..2716fc1659 100644 --- a/windows/configuration/ue-v/uev-migrating-settings-packages.md +++ b/windows/configuration/ue-v/uev-migrating-settings-packages.md @@ -21,7 +21,7 @@ In the lifecycle of a User Experience Virtualization (UE-V) deployment, you migh - Migration of a settings storage location share from a test server to a production server -Simply copying the files and folders does not preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share. +Simply copying the files and folders doesn't preserve the security settings and permissions. The following steps describe how to correctly copy the settings package along with their NTFS file system permissions to a new share. **To preserve UE-V settings packages when you migrate to a new server** diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md index 81cf471c17..f44d3f47be 100644 --- a/windows/configuration/ue-v/uev-prepare-for-deployment.md +++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md @@ -29,7 +29,7 @@ Whether you want to synchronize settings for only default Windows applications o - [Enable the UE-V service](uev-deploy-required-features.md#enable-the-ue-v-service) on user computers -If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you'll need to install and configure these optional additional UE-V features: +If you want to use UE-V to synchronize user-defined settings for custom applications (third-party or line-of-business), you’ll need to install and configure these optional extra UE-V features: [Deploy UE-V for custom applications](uev-deploy-uev-for-custom-applications.md) @@ -90,13 +90,13 @@ When you enable the UE-V service on user devices, it registers a default group o | Microsoft Office 2016 applications | Microsoft Access 2016
    Microsoft Lync 2016
    Microsoft Excel 2016
    Microsoft OneNote 2016
    Microsoft Outlook 2016
    Microsoft PowerPoint 2016
    Microsoft Project 2016
    Microsoft Publisher 2016
    Microsoft SharePoint Designer 2013 (not updated for 2016)
    Microsoft Visio 2016
    Microsoft Word 2016
    Microsoft Office Upload Manager
    Microsoft Infopath has been removed (deprecated) from the Office 2016 suite | | Microsoft Office 2013 applications
    [Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2013
    Microsoft Excel 2013
    Microsoft Outlook 2013
    Microsoft Access 2013
    Microsoft Project 2013
    Microsoft PowerPoint 2013
    Microsoft Publisher 2013
    Microsoft Visio 2013
    Microsoft InfoPath 2013
    Microsoft Lync 2013
    Microsoft OneNote 2013
    Microsoft SharePoint Designer 2013
    Microsoft Office 2013 Upload Center
    Microsoft OneDrive for Business 2013 | Microsoft Office 2010 applications
    [Download a list of all settings synced](https://www.microsoft.com/download/details.aspx?id=46367) | Microsoft Word 2010
    Microsoft Excel 2010
    Microsoft Outlook 2010
    Microsoft Access 2010
    Microsoft Project 2010
    Microsoft PowerPoint 2010
    Microsoft Publisher 2010
    Microsoft Visio 2010
    Microsoft SharePoint Workspace 2010
    Microsoft InfoPath 2010
    Microsoft Lync 2010
    Microsoft OneNote 2010
    Microsoft SharePoint Designer 2010 | -| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
    **Note**
    UE-V does not roam settings for Internet Explorer cookies. | +| Browser options: Internet Explorer 11 and 10 | Synchronize favorites, home page, tabs, and toolbars.
    **Note**
    UE-V doesn't roam settings for Internet Explorer cookies. | | Windows accessories | Microsoft NotePad, WordPad | > [!NOTE] > - An Outlook profile must be created for any device on which a user wants to sync their Outlook signature. If the profile is not already created, the user can create one and then restart Outlook on that device to enable signature synchronization. > -> - UE-V does not synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems. +> - UE-V doesn't synchronize settings between the Microsoft Calculator in Windows 10 and the Microsoft Calculator in previous operating systems. ### Windows settings synchronized by default @@ -106,10 +106,10 @@ UE-V includes settings location templates that capture settings values for these |----------------------|-----------------|--------------|---------------|-------------------| | Desktop background | Currently active desktop background or wallpaper | Log on, unlock, remote connect, Scheduled Task events | Log off, lock, remote disconnect, or scheduled task interval | Enabled | | Ease of Access | Accessibility and input settings, Microsoft Magnifier, Narrator, and on-Screen Keyboard | Log on only | Log off or scheduled task interval | Enabled | -| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, additional clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled | +| Desktop settings | Start menu and Taskbar settings, folder options, default desktop icons, more clocks, and region and language settings | Log on only | Log off or scheduled task | Enabled | > [!IMPORTANT] -> UE-V roams taskbar settings between Windows 10 devices. However, UE-V does not synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions. +> UE-V roams taskbar settings between Windows 10 devices. However, UE-V doesn't synchronize taskbar settings between Windows 10 devices and devices running previous operating systems versions. | Settings group | Category | Capture | Apply | |--------------------------|----------------|----------------|--------------| @@ -142,11 +142,11 @@ Printer roaming in UE-V requires one of these scenarios: - The printer driver can be imported from Windows Update. > [!NOTE] -> The UE-V printer roaming feature does not roam printer settings or preferences, such as printing double-sided. +> The UE-V printer roaming feature doesn't roam printer settings or preferences, such as printing double-sided. ### Determine whether you need settings synchronized for other applications -After you have reviewed the settings that are synchronized automatically in a UE-V deployment, you'll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise. +After you've reviewed the settings that are synchronized automatically in a UE-V deployment, you’ll need to decide whether to synchronize settings for other applications as your decision will determine how you deploy UE-V throughout your enterprise. As an administrator, when you consider which desktop applications to include in your UE-V solution, consider which settings can be customized by users, and how and where the application stores its settings. Not all desktop applications have settings that can be customized or that are routinely customized by users. In addition, not all desktop applications settings can be synchronized safely across multiple devices or environments. @@ -167,14 +167,14 @@ If you've decided that you need to synchronize settings for custom applications, | ![Checklist box.](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? | | ![Checklist box.](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? | | ![Checklist box.](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. | -| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. | -| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. | -| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.| +| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations don't consistently synchronize across sessions and can cause a poor application experience. | +| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually shouldn't synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. | +| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that shouldn't synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this extra data can cause a poor application experience.| | ![Checklist box.](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. | ## Other considerations when preparing a UE-V deployment -You should also consider these things when you are preparing to deploy UE-V: +You should also consider these things when you're preparing to deploy UE-V: - [Managing credentials synchronization](#managing-credentials-synchronization-in-ue-v) @@ -192,19 +192,19 @@ You should also consider these things when you are preparing to deploy UE-V: ### Managing credentials synchronization in UE-V -Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid re-entering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V. +Many enterprise applications, including Microsoft Outlook, Lync, and Skype for Business prompt users for their domain credentials when they log in. Users have the option of saving their credentials to disk to prevent having to enter them every time they open these applications. Enabling roaming credentials synchronization lets users save their credentials on one computer and avoid reentering them on every computer they use in their environment. Users can synchronize some domain credentials with UE-V. > [!IMPORTANT] > Credentials synchronization is disabled by default. You must explicitly enable credentials synchronization after you enable the UE-V service to implement this feature. -UE-V can synchronize enterprise credentials, but does not roam credentials intended only for use on the local device. +UE-V can synchronize enterprise credentials, but doesn't roam credentials intended only for use on the local device. -Credentials are synchronous settings, meaning that they are applied to users' profiles the first time they log on to their devices after UE-V synchronizes. +Credentials are synchronous settings, meaning that they're applied to users' profiles the first time they log on to their devices after UE-V synchronizes. Credentials synchronization is managed by its own settings location template, which is disabled by default. You can enable or disable this template through the same methods used for other templates. The template identifier for this feature is RoamingCredentialSettings. > [!IMPORTANT] -> If you are using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization. +> If you're using Active Directory Credential Roaming in your environment, we recommend that you do not enable the UE-V credential roaming template. Instead, use PowerShell or Group Policy to enable credentials synchronization. Note that credentials are encrypted during synchronization. [PowerShell](uev-administering-uev-with-windows-powershell-and-wmi.md)**:** Enter this PowerShell cmdlet to enable credential synchronization: @@ -246,7 +246,7 @@ Credential files saved by applications into the following locations are synchron - %UserProfile%\\AppData\\Roaming\\Microsoft\\SystemCertificates\\ -Credentials saved to other locations are not synchronized by UE-V. +Credentials saved to other locations aren't synchronized by UE-V. ### Windows applications settings synchronization @@ -256,13 +256,13 @@ UE-V manages Windows application settings synchronization in three ways: - **Windows applications list:** Synchronize a list of Windows applications -- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that are not in the Windows applications list. +- **Unlisted default sync behavior:** Determine the synchronization behavior of Windows applications that aren't in the Windows applications list. For more information, see the [Windows Application List](uev-managing-settings-location-templates-using-windows-powershell-and-wmi.md#win8applist). ### Custom UE-V settings location templates -If you are deploying UE-V to synchronize settings for custom applications, you'll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices. +If you're deploying UE-V to synchronize settings for custom applications, you’ll use the UE-V template generator to create custom settings location templates for those desktop applications. After you create and test a custom settings location template in a test environment, you can deploy the settings location templates to user devices. Custom settings location templates must be deployed with an existing deployment infrastructure, such as an enterprise software distribution method, including Microsoft Endpoint Configuration Manager, with preferences, or by configuring a UE-V settings template catalog. Templates that are deployed with Configuration Manager or Group Policy must be registered using UE-V WMI or Windows PowerShell. @@ -282,7 +282,7 @@ UE-V downloads new user settings information from a settings storage location an - When the Sync Controller Application scheduled task is run -If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they are opened and closed with preferred settings. +If UE-V is installed on computer A and computer B, and the settings that you want for the application are on computer A, then computer A should open and close the application first. If the application is opened and closed on computer B first, then the application settings on computer A are configured to the application settings on computer B. Settings are synchronized between computers on per-application basis. Over time, settings become consistent between computers as they're opened and closed with preferred settings. This scenario also applies to Windows settings. If the Windows settings on computer B should be the same as the Windows settings on computer A, then the user should log on and log off computer A first. @@ -304,17 +304,17 @@ The UE-V settings storage location and settings template catalog support storing - Format the storage volume with an NTFS file system. -- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is specifically not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see: +- The share can use Distributed File System (DFS) replication, but Distributed File System Replication (DFSR) is not supported. Distributed File System Namespaces (DFSN) are supported. For detailed information, see: - [Deploying Roaming User Profiles](/windows-server/storage/folder-redirection/deploy-roaming-user-profiles) - [Information about Microsoft support policy for a DFS-R and DFS-N deployment scenario](/troubleshoot/windows-server/networking/support-policy-for-dfsr-dfsn-deployment) - In addition, because SYSVOL uses DFSR for replication, SYSVOL cannot be used for UE-V data file replication. + In addition, because SYSVOL uses DFSR for replication, SYSVOL can't be used for UE-V data file replication. - Configure the share permissions and NTFS access control lists (ACLs) as specified in [Deploying the settings storage location for UE-V](uev-deploy-required-features.md). -- Use file server clustering along with the UE-V service to provide access to copies of user state data in the event of communications failures. +- Use file server clustering along with the UE-V service to provide access to copies of user state data if communications failures occur. - You can store the settings storage path data (user data) and settings template catalog templates on clustered shares, on DFSN shares, or on both. @@ -335,7 +335,7 @@ Before you proceed, ensure that your environment meets these requirements for us > [!NOTE] > - Windows Server 2012 operating systems come with .NET Framework 4.5 installed. The Windows 10 operating system comes with .NET Framework 4.6 installed. > -> - The "Delete Roaming Cache" policy for mandatory profiles is not supported with UE-V and should not be used. +> - The “Delete Roaming Cache” policy for mandatory profiles isn't supported with UE-V and shouldn't be used. There are no special random access memory (RAM) requirements specific to UE-V. @@ -353,7 +353,7 @@ Sync Provider is the default setting for users and synchronizes a local cache wi A scheduled task manages this synchronization of settings every 30 minutes or through trigger events for certain applications. For more information, see [Changing the frequency of UE-V scheduled tasks](uev-changing-the-frequency-of-scheduled-tasks.md). -The UE-V service synchronizes user settings for devices that are not always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions). +The UE-V service synchronizes user settings for devices that aren't always connected to the enterprise network (remote devices and laptops) and devices that are always connected to the network (devices that run Windows Server and host virtual desktop interface (VDI) sessions). **Synchronization for computers with always-available connections** When you use UE-V on devices that are always connected to the network, you must configure the UE-V service to synchronize settings by using the *SyncMethod=None* parameter, which treats the settings storage server as a standard network share. In this configuration, the UE-V service can be configured to notify if the import of the application settings is delayed. From f041fe51ae9babac4946d82a04a9d31178af31b8 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:40:17 -0400 Subject: [PATCH 40/77] More TOC changes --- windows/client-management/mdm/toc.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 10d185561f..5097798efe 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -2,11 +2,11 @@ items: - name: Mobile Device Management href: index.yml items: - - name: MDM overview + - name: Overview href: mdm-overview.md - - name: What's new in MDM enrollment and management - href: new-in-windows-mdm-enrollment-management.md items: + - name: What's new in MDM enrollment and management + href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md - name: Device enrollment From 0eb0947306a1e1ba54bb701f0a3eedbd86a01ed3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:45:05 -0400 Subject: [PATCH 41/77] test --- windows/client-management/mdm/toc.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 5097798efe..875e1dfa78 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -5,6 +5,8 @@ items: - name: Overview href: mdm-overview.md items: + - name: MDM overview + href: mdm-overview.md - name: What's new in MDM enrollment and management href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation From 44c362b0bda45966e82b441ebad0e64fdeeae7f3 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 12:47:45 -0400 Subject: [PATCH 42/77] test2 --- windows/client-management/mdm/toc.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 875e1dfa78..cf0e95135c 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -3,7 +3,6 @@ items: href: index.yml items: - name: Overview - href: mdm-overview.md items: - name: MDM overview href: mdm-overview.md From 27639fb4e44ff5b267160c8ce6884511cb21866b Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 4 Aug 2022 14:24:51 -0400 Subject: [PATCH 43/77] reorder --- windows/client-management/mdm/toc.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index cf0e95135c..859cfd31fa 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -10,6 +10,13 @@ items: href: new-in-windows-mdm-enrollment-management.md - name: Change history for MDM documentation href: change-history-for-mdm-documentation.md + - name: Azure Active Directory integration with MDM + href: azure-active-directory-integration-with-mdm.md + items: + - name: Add an Azure AD tenant and Azure AD subscription + href: add-an-azure-ad-tenant-and-azure-ad-subscription.md + - name: Register your free Azure Active Directory subscription + href: register-your-free-azure-active-directory-subscription.md - name: Device enrollment href: mobile-device-enrollment.md items: @@ -36,13 +43,6 @@ items: href: enable-admx-backed-policies-in-mdm.md - name: Win32 and Desktop Bridge app policy configuration href: win32-and-centennial-app-policy-configuration.md - - name: Azure Active Directory integration with MDM - href: azure-active-directory-integration-with-mdm.md - items: - - name: Add an Azure AD tenant and Azure AD subscription - href: add-an-azure-ad-tenant-and-azure-ad-subscription.md - - name: Register your free Azure Active Directory subscription - href: register-your-free-azure-active-directory-subscription.md - name: Enterprise settings, policies, and app management href: windows-mdm-enterprise-settings.md items: From 79724cc5bf9aa63fab4438a331aee89670655cca Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Thu, 4 Aug 2022 11:26:23 -0700 Subject: [PATCH 44/77] Updates to prereqs as per Andre. --- .../windows-autopatch-register-devices.md | 25 +++++++++---------- .../windows-autopatch-prerequisites.md | 14 +++++------ 2 files changed, 19 insertions(+), 20 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 14e592ed12..fbe99bc055 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 07/06/2022 +ms.date: 08/04/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -21,6 +21,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) +- [Windows feature updates](../operate/windows-autopatch-fu-overview.md) - [Microsoft 365 Apps for enterprise updates](../operate/windows-autopatch-microsoft-365-apps-enterprise.md) - [Microsoft Edge updates](../operate/windows-autopatch-edge.md) - [Microsoft Teams updates](../operate/windows-autopatch-teams.md) @@ -78,7 +79,7 @@ To be eligible for Windows Autopatch management, devices must meet a minimum set > [!NOTE] > Windows Autopatch doesn't support device emulators that don't generate Serial number, Model and Manufacturer. Devices that use a non-supported device emulator fail the **Intune or Cloud-Attached** pre-requisite check. Additionally, devices with duplicated serial numbers will fail to register with Windows Autopatch. -See [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md) for more details. +For more information, see [Windows Autopatch Prerequisites](../prepare/windows-autopatch-prerequisites.md). ## About the Ready and Not ready tabs @@ -113,6 +114,8 @@ Registering your devices in Windows Autopatch does the following: ### Physical devices +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the Windows Autopatch Device Registration Azure AD group to be registered with Windows Autopatch. + **To register physical devices into Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). @@ -126,15 +129,9 @@ Registering your devices in Windows Autopatch does the following: Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service. -### Virtual devices +### Windows Autopatch on Windows 365 Enterprise Workloads -#### Windows Autopatch on Windows 365 Enterprise Workloads - -With Windows 365 Enterprise, you can include Windows Autopatch onboarding as part of your provision process providing a seamless experience for admins and users to ensure your Cloud PCs are always up to date. - -#### Deploy Windows Autopatch on a Windows 365 Provisioning Policy - -For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). +With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy process calls the Windows Autopatch device registration APIs to register devices on behalf of the IT admin. **To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** @@ -149,11 +146,13 @@ For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-36 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. +For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). + #### Deploy Autopatch on Windows 365 for existing Cloud PC -All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method as your physical devices. For more information, see [Physical devices](#physical-devices). +All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. -#### Contact support +### Contact support Support is available either through Windows 365, or Windows Autopatch for update related incidents. @@ -162,7 +161,7 @@ Support is available either through Windows 365, or Windows Autopatch for update ## Device management lifecycle scenarios -There's a few more device lifecycle management scenarios to consider when planning to register devices in Windows Autopatch. +There's a few more device management lifecycle scenarios to consider when planning to register devices in Windows Autopatch. ### Device refresh diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md index 2f4d13cfe0..abbe0e525e 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites.md @@ -1,7 +1,7 @@ --- title: Prerequisites description: This article details the prerequisites needed for Windows Autopatch -ms.date: 06/30/2022 +ms.date: 08/04/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -41,7 +41,6 @@ Windows Autopatch is included with Window 10/11 Enterprise E3 or higher. The fol The following Windows OS 10 editions, 1809 builds and architecture are supported in Windows Autopatch: -- x64 architecture - Windows 10 (1809+)/11 Pro - Windows 10 (1809+)/11 Enterprise - Windows 10 (1809+)/11 Pro for Workstations @@ -51,8 +50,9 @@ The following Windows OS 10 editions, 1809 builds and architecture are supported Windows Autopatch fully supports co-management. The following co-management requirements apply: - Use a currently supported [Configuration Manager version](/mem/configmgr/core/servers/manage/updates#supported-versions). -- Ensure ConfigMgr is connected to the internet and [cloud-attach with Intune](/mem/configmgr/cloud-attach/overview). -- Ensure ConfigMgr is co-managed. For more information, see [Paths to co-management](/mem/configmgr/comanage/quickstart-paths). -- Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. -- Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. -- Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. +- ConfigMgr must be [cloud-attached with Intune (Co-management)](/mem/configmgr/cloud-attach/overview) and must have the following Co-management workloads enabled: + - Set the [Windows Update workload](/mem/configmgr/comanage/workloads#windows-update-policies) to Pilot Intune or Intune. + - Set the [Device configuration workload](/mem/configmgr/comanage/workloads#device-configuration) to Pilot Intune or Intune. + - Set the [Office Click-to-Run apps workload](/mem/configmgr/comanage/workloads#office-click-to-run-apps) to Pilot Intune or Intune. + +For more information, see [paths to co-management](/mem/configmgr/comanage/quickstart-paths). From 32faa3e016f2c2d0d4e4b72e3d4c51edf71cf8d4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:01:44 +0530 Subject: [PATCH 45/77] Updated-6247330 Redirection file updated. --- .openpublishing.redirection.json | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 798ab55b18..46855dc966 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19589,6 +19589,11 @@ "source_path": "windows/whats-new/contribute-to-a-topic.md", "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false + }, + { + "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", + "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", + "redirect_document_id": false } ] } From f0cfa7f2509fc65e0d784e46e4541d2dd7d767ca Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:20:54 +0530 Subject: [PATCH 46/77] Updated-6247330 Deleting the old file. --- .../waas-delivery-optimization-faq-old.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq-old.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq-old.md b/windows/deployment/update/waas-delivery-optimization-faq-old.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq-old.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 7d5a767df347a85b9d530a2ccc1d52121b567c22 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:29:29 +0530 Subject: [PATCH 47/77] Updated-6247330 Adding the file again and renaming it to its original name so that we can delete it in the next update to match the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md new file mode 100644 index 0000000000..e7787d0b50 --- /dev/null +++ b/windows/deployment/update/waas-delivery-optimization-faq.md @@ -0,0 +1,101 @@ +--- +title: Delivery Optimization Frequently Asked Questions +ms.reviewer: aaroncz +manager: dougeby +description: The following is a list of frequently asked questions for Delivery Optimization. +ms.prod: w10 +author: carmenf +ms.localizationpriority: medium +ms.author: carmenf +ms.collection: M365-modern-desktop +ms.topic: article +ms.custom: seo-marvel-apr2020 +--- + +# Delivery Optimization Frequently Asked Questions + +**Applies to** + +- Windows 10 +- Windows 11 + +## Does Delivery Optimization work with WSUS? + +Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. + +## Which ports does Delivery Optimization use? + +Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). + +Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. + +Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. + +## What are the requirements if I use a proxy? + +For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). + +## What hostnames should I allow through my firewall to support Delivery Optimization? + +**For communication between clients and the Delivery Optimization cloud service**: + +- `*.do.dsp.mp.microsoft.com` + +**For Delivery Optimization metadata**: + +- `*.dl.delivery.mp.microsoft.com` +- `*.emdl.ws.microsoft.com` + +**For the payloads (optional)**: + +- `*.download.windowsupdate.com` +- `*.windowsupdate.com` + +**For group peers across multiple NATs (Teredo)**: + +- `win1910.ipv6.microsoft.com` + +For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. + +## Does Delivery Optimization use multicast? + +No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. + +## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? + +Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). + +## How does Delivery Optimization handle VPNs? + +Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." + +If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. + +If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. + +With split tunneling, make sure to allow direct access to these endpoints: + +Delivery Optimization service endpoint: + +- `https://*.prod.do.dsp.mp.microsoft.com` + +Delivery Optimization metadata: + +- `http://emdl.ws.microsoft.com` +- `http://*.dl.delivery.mp.microsoft.com` + +Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads + +- `http://*.windowsupdate.com` +- `https://*.delivery.mp.microsoft.com` +- `https://*.update.microsoft.com` +- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` + +For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). + +## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? + +Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. + +> [!NOTE] +> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From feff2389e3919fd4a89a9429d514975595707ca4 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Fri, 5 Aug 2022 02:34:49 +0530 Subject: [PATCH 48/77] Updated-6247330 Deleted the original file to align with the redirection entry. --- .../update/waas-delivery-optimization-faq.md | 101 ------------------ 1 file changed, 101 deletions(-) delete mode 100644 windows/deployment/update/waas-delivery-optimization-faq.md diff --git a/windows/deployment/update/waas-delivery-optimization-faq.md b/windows/deployment/update/waas-delivery-optimization-faq.md deleted file mode 100644 index e7787d0b50..0000000000 --- a/windows/deployment/update/waas-delivery-optimization-faq.md +++ /dev/null @@ -1,101 +0,0 @@ ---- -title: Delivery Optimization Frequently Asked Questions -ms.reviewer: aaroncz -manager: dougeby -description: The following is a list of frequently asked questions for Delivery Optimization. -ms.prod: w10 -author: carmenf -ms.localizationpriority: medium -ms.author: carmenf -ms.collection: M365-modern-desktop -ms.topic: article -ms.custom: seo-marvel-apr2020 ---- - -# Delivery Optimization Frequently Asked Questions - -**Applies to** - -- Windows 10 -- Windows 11 - -## Does Delivery Optimization work with WSUS? - -Yes. Devices will obtain the update payloads from the WSUS server, but must also have an internet connection as they communicate with the Delivery Optimization cloud service for coordination. - -## Which ports does Delivery Optimization use? - -Delivery Optimization listens on port 7680 for requests from other peers by using TCP/IP. The service will register and open this port on the device. The port must be set to accept inbound traffic through your firewall. If you don't allow inbound traffic over port 7680, you can't use the peer-to-peer functionality of Delivery Optimization. However, devices can still successfully download by using HTTP or HTTPS traffic over port 80 (such as for default Windows Update data). - -Delivery Optimization will use Teredo to create peer groups, which include devices across NATs (or any form of internal subnet that uses gateways or firewalls between subnets). For this to work, you must allow inbound TCP/IP traffic over port 3544. Look for a "NAT traversal" setting in your firewall to set this up. - -Delivery Optimization also communicates with its cloud service by using HTTP/HTTPS over port 80. - -## What are the requirements if I use a proxy? - -For Delivery Optimization to successfully use the proxy, you should set up the proxy by using Windows proxy settings or Internet Explorer proxy settings. For details see [Using a proxy with Delivery Optimization](../do/delivery-optimization-proxy.md). Most content downloaded with Delivery Optimization uses byte range requests. Make sure your proxy allows byte range requests. For more information, see [Proxy requirements for Windows Update](/windows/deployment/update/windows-update-troubleshooting). - -## What hostnames should I allow through my firewall to support Delivery Optimization? - -**For communication between clients and the Delivery Optimization cloud service**: - -- `*.do.dsp.mp.microsoft.com` - -**For Delivery Optimization metadata**: - -- `*.dl.delivery.mp.microsoft.com` -- `*.emdl.ws.microsoft.com` - -**For the payloads (optional)**: - -- `*.download.windowsupdate.com` -- `*.windowsupdate.com` - -**For group peers across multiple NATs (Teredo)**: - -- `win1910.ipv6.microsoft.com` - -For more information, see [Endpoints for Delivery Optimization and Microsoft Connected Cache](../do/delivery-optimization-endpoints.md) for a list of all content endpoints needed. - -## Does Delivery Optimization use multicast? - -No. It relies on the cloud service for peer discovery, resulting in a list of peers and their IP addresses. Client devices then connect to their peers to obtain download files over TCP/IP. - -## How does Delivery Optimization deal with congestion on the router from peer-to-peer activity on the LAN? - -Starting in Windows 10, version 1903, Delivery Optimization uses LEDBAT to relieve such congestion. For more information, see this post on the [Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/Windows-Transport-converges-on-two-Congestion-Providers-Cubic/ba-p/339819). - -## How does Delivery Optimization handle VPNs? - -Delivery Optimization attempts to identify VPNs by checking the network adapter type and details. A connection will be treated as a VPN if the adapter description contains certain keywords, such as "VPN" or "secure." - -If the connection is identified as a VPN, Delivery Optimization will suspend uploads to other peers. However, you can allow uploads over a VPN by using the [Enable Peer Caching while the device connects via VPN](../do/waas-delivery-optimization-reference.md#enable-peer-caching-while-the-device-connects-via-vpn) policy. - -If you have defined a boundary group in Configuration Manager for VPN IP ranges, you can set the [DownloadMode](../do/waas-delivery-optimization-reference.md#download-mode) policy to 0 for that boundary group, to ensure that there will be no peer-to-peer activity over the VPN. When the device is not connected using a VPN, it can still use peer-to-peer with the default of LAN. - -With split tunneling, make sure to allow direct access to these endpoints: - -Delivery Optimization service endpoint: - -- `https://*.prod.do.dsp.mp.microsoft.com` - -Delivery Optimization metadata: - -- `http://emdl.ws.microsoft.com` -- `http://*.dl.delivery.mp.microsoft.com` - -Windows Update and Microsoft Store backend services and Windows Update and Microsoft Store payloads - -- `http://*.windowsupdate.com` -- `https://*.delivery.mp.microsoft.com` -- `https://*.update.microsoft.com` -- `https://tsfe.trafficshaping.dsp.mp.microsoft.com` - -For more information about remote work if you're using Configuration Manager, see this post on the [Configuration Manager blog](https://techcommunity.microsoft.com/t5/configuration-manager-blog/managing-patch-tuesday-with-configuration-manager-in-a-remote/ba-p/1269444). - -## How does Delivery Optimization handle networks where a public IP address is used in place of a private IP address? - -Starting with Windows 10, version 1903 or later, Delivery Optimization no longer restricts connections between LAN peers to those using private IP addresses. If you use public IP addresses instead of private IP addresses, you can use Delivery Optimization in LAN mode. - -> [!NOTE] -> If you use public IP addresses instead of private in LAN mode, the bytes downloaded from or uploaded to LAN peers with public IP addresses might be reported as coming from Internet peers. From 6a789018bb12fb6daab49519f031d7367184b683 Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 4 Aug 2022 17:40:04 -0400 Subject: [PATCH 49/77] 4246040 AD Remove Redirect --- .openpublishing.redirection.json | 44 +- windows/security/TOC.yml | 16 - .../active-directory-accounts.md | 621 ------- .../active-directory-security-groups.md | 1431 ----------------- .../access-control/dynamic-access-control.md | 140 -- .../access-control/microsoft-accounts.md | 186 --- .../access-control/security-identifiers.md | 331 ---- .../access-control/security-principals.md | 148 -- .../access-control/service-accounts.md | 112 -- .../access-control/special-identities.md | 448 ------ 10 files changed, 42 insertions(+), 3435 deletions(-) delete mode 100644 windows/security/identity-protection/access-control/active-directory-accounts.md delete mode 100644 windows/security/identity-protection/access-control/active-directory-security-groups.md delete mode 100644 windows/security/identity-protection/access-control/dynamic-access-control.md delete mode 100644 windows/security/identity-protection/access-control/microsoft-accounts.md delete mode 100644 windows/security/identity-protection/access-control/security-identifiers.md delete mode 100644 windows/security/identity-protection/access-control/security-principals.md delete mode 100644 windows/security/identity-protection/access-control/service-accounts.md delete mode 100644 windows/security/identity-protection/access-control/special-identities.md diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 798ab55b18..3acf52720e 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -6507,8 +6507,8 @@ }, { "source_path": "windows/access-protection/access-control/dynamic-access-control.md", - "redirect_url": "/windows/security/identity-protection/access-control/dynamic-access-control", - "redirect_document_id": false + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": true }, { "source_path": "windows/access-protection/access-control/local-accounts.md", @@ -19589,6 +19589,46 @@ "source_path": "windows/whats-new/contribute-to-a-topic.md", "redirect_url": "https://github.com/MicrosoftDocs/windows-itpro-docs/blob/public/CONTRIBUTING.md#editing-windows-it-professional-documentation", "redirect_document_id": false + }, + { + "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/security-principals.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/service-accounts.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/special-identities.md", + "redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups", + "redirect_document_id": true + }, + { + "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", + "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", + "redirect_document_id": true } ] } diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index aa38fc4f08..be054e388b 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -323,24 +323,8 @@ - name: Access Control Overview href: identity-protection/access-control/access-control.md items: - - name: Dynamic Access Control Overview - href: identity-protection/access-control/dynamic-access-control.md - - name: Security identifiers - href: identity-protection/access-control/security-identifiers.md - - name: Security Principals - href: identity-protection/access-control/security-principals.md - name: Local Accounts href: identity-protection/access-control/local-accounts.md - - name: Active Directory Accounts - href: identity-protection/access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: identity-protection/access-control/microsoft-accounts.md - - name: Service Accounts - href: identity-protection/access-control/service-accounts.md - - name: Active Directory Security Groups - href: identity-protection/access-control/active-directory-security-groups.md - - name: Special Identities - href: identity-protection/access-control/special-identities.md - name: User Account Control href: identity-protection/user-account-control/user-account-control-overview.md items: diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md deleted file mode 100644 index 404f1abb50..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-accounts.md +++ /dev/null @@ -1,621 +0,0 @@ ---- -title: Active Directory Accounts (Windows 10) -description: Active Directory Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/23/2019 ---- - -# Active Directory Accounts - -**Applies to** -- Windows Server 2016 - -Windows Server operating systems are installed with default local accounts. In addition, you can create user accounts to meet the requirements of your organization. This reference topic for the IT professional describes the Windows Server default local accounts that are stored locally on the domain controller and are used in Active Directory. - -This reference topic does not describe default local user accounts for a member or standalone server or for a Windows client. For more information, see [Local Accounts](local-accounts.md). - -## About this topic - - -This topic describes the following: - -- [Default local accounts in Active Directory](#sec-ad-default-accounts) - - - [Administrator account](#sec-administrator) - - - [Guest account](#sec-guest) - - - [HelpAssistant account (installed with a Remote Assistance session)](#sec-helpassistant) - - - [KRBTGT account](#sec-krbtgt) - -- [Settings for default local accounts in Active Directory](#sec-account-settings) - -- [Manage default local accounts in Active Directory](#sec-manage-local-accounts) - -- [Restrict and protect sensitive domain accounts](#sec-restrict-protect-accounts) - - - [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - - - [Create dedicated workstation hosts without Internet and email access](#task2-admin-workstations) - - - [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - - - [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -- [Secure and manage domain controllers](#sec-secure-manage-dcs) - -## Default local accounts in Active Directory - - -Default local accounts are built-in accounts that are created automatically when a Windows Server domain controller is installed and the domain is created. These default local accounts have counterparts in Active Directory. These accounts also have domain-wide access and are completely separate from the default local user accounts for a member or standalone server. - -You can assign rights and permissions to default local accounts on a particular domain controller, and only on that domain controller. These accounts are local to the domain. After the default local accounts are installed, they are stored in the Users container in Active Directory Users and Computers. It is a best practice to keep the default local accounts in the User container and not attempt to move these accounts, for example, to a different organizational unit (OU). - -The default local accounts in the Users container include: Administrator, Guest, and KRBTGT. The HelpAssistant account is installed when a Remote Assistance session is established. The following sections describe the default local accounts and their use in Active Directory. - -Primarily, default local accounts do the following: - -- Let the domain represent, identify, and authenticate the identity of the user that is assigned to the account by using unique credentials (user name and password). It is a best practice to assign each user to a single account to ensure maximum security. Multiple users are not allowed to share one account. A user account lets a user sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user’s credentials have been authenticated, the user is authorized to access the network and domain resources based on the user’s explicitly assigned rights on the resource. - -- Audit the actions that are carried out on a user account. - -In Active Directory, default local accounts are used by administrators to manage domain and member servers directly and from dedicated administrative workstations. Active Directory accounts provide access to network resources. Active Directory User accounts and Computer accounts can represent a physical entity, such as a computer or person, or act as dedicated service accounts for some applications. - -Each default local account is automatically assigned to a security group that is preconfigured with the appropriate rights and permissions to perform specific tasks. Active Directory security groups collect user accounts, computer accounts, and other groups into manageable units. For more information, see [Active Directory Security Groups](active-directory-security-groups.md). - -On an Active Directory domain controller, each default local account is referred to as a security principal. A security principal is a directory object that is used to secure and manage Active Directory services that provide access to domain controller resources. A security principal includes objects such as user accounts, computer accounts, security groups, or the threads or processes that run in the security context of a user or computer account. For more information, see [Security Principals](security-principals.md). - -A security principal is represented by a unique security identifier (SID).The SIDs that are related to each of the default local accounts in Active Directory are described in the sections below. - -Some of the default local accounts are protected by a background process that periodically checks and applies a specific security descriptor. A security descriptor is a data structure that contains security information that is associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the default local accounts or groups is overwritten with the protected settings. - -This security descriptor is present on the AdminSDHolder object. If you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the AdminSDHolder object to ensure that it is applied consistently. Be careful when making these modifications, because you are also changing the default settings that are applied to all of your protected accounts. - -## Administrator account - - -The Administrator account is a default account that is used in all versions of the Windows operating system on every computer and device. The Administrator account is used by the system administrator for tasks that require administrative credentials. This account cannot be deleted or locked out, but the account can be renamed or disabled. - -The Administrator account gives the user complete access (Full Control permissions) of the files, directories, services, and other resources that are on that local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. Administrator can also be used to take control of local resources at any time simply by changing the user rights and permissions. Although files and directories can be protected from the Administrator account temporarily, the Administrator account can take control of these resources at any time by changing the access permissions. - -**Account group membership** - -The Administrator account has membership in the default security groups as described in the Administrator account attributes table later in this topic. - -The security groups ensure that you can control administrator rights without having to change each Administrator account. In most instances, you do not have to change the basic settings for this account. However, you might have to change its advanced settings, such as membership in particular groups. - -**Security considerations** - -After installation of the server operating system, your first task is to set up the Administrator account properties securely. This includes setting up an especially long, strong password, and securing the Remote control and Remote Desktop Services profile settings. - -The Administrator account can also be disabled when it is not required. Renaming or disabling the Administrator account makes it more difficult for malicious users to try to gain access to the account. However, even when the Administrator account is disabled, it can still be used to gain access to a domain controller by using safe mode. - -On a domain controller, the Administrator account becomes the Domain Admin account. The Domain Admin account is used to sign in to the domain controller and this account requires a strong password. The Domain Admin account gives you access to domain resources. - -> [!NOTE] -> When the domain controller is initially installed, you can sign in and use Server Manager to set up a local Administrator account, with the rights and permissions you want to assign. For example, you can use a local Administrator account to manage the operating system when you first install it. By using this approach, you can set up the operating system without getting locked out. Generally, you do not need to use the account after installation. You can only create local user accounts on the domain controller, before Active Directory Domain Services is installed, and not afterwards. - -When Active Directory is installed on the first domain controller in the domain, the Administrator account is created for Active Directory. The Administrator account is the most powerful account in the domain. It is given domain-wide access and administrative rights to administer the computer and the domain, and it has the most extensive rights and permissions over the domain. The person who installs Active Directory Domain Services on the computer creates the password for this account during the installation. - -**Administrator account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-500| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|N/A| -|Default member of|Administrators, Domain Admins, Enterprise Administrators, Domain Users. Note that the Primary Group ID of all user accounts is Domain Users.

    Group Policy Creator Owners, and Schema Admins in Active Directory

    Domain Users group| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service administrators?|No| - -## Guest account - - -The Guest account is a default local account that has limited access to the computer and is disabled by default. By default, the Guest account password is left blank. A blank password allows the Guest account to be accessed without requiring the user to enter a password. - -The Guest account enables occasional or one-time users, who do not have an individual account on the computer, to sign in to the local server or domain with restricted rights and permissions. The Guest account can be enabled, and the password can be set up if needed, but only by a member of the Administrator group on the domain. - -**Account group membership** - -The Guest account has membership in the default security groups that are described in the following Guest account attributes table. By default, the Guest account is the only member of the default Guests group, which lets a user sign in to a server, and the Domain Guests global group, which lets a user sign in to a domain. - -A member of the Administrators group or Domain Admins group can set up a user with a Guest account on one or more computers. - -**Security considerations** - -Because the Guest account can provide anonymous access, it is a security risk. It also has a well-known SID. For this reason, it is a best practice to leave the Guest account disabled, unless its use is required and then only with restricted rights and permissions for a very limited period of time. - -When the Guest account is required, an Administrator on the domain controller is required to enable the Guest account. The Guest account can be enabled without requiring a password, or it can be enabled with a strong password. The Administrator also grants restricted rights and permissions for the Guest account. To help prevent unauthorized access: - -- Do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right. When a computer is shutting down or starting up, it is possible that a Guest user or anyone with local access, such as a malicious user, could gain unauthorized access to the computer. - -- Do not provide the Guest account with the ability to view the event logs. After the Guest account is enabled, it is a best practice to monitor this account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user. - -- Do not use the Guest account when the server has external network access or access to other computers. - -If you decide to enable the Guest account, be sure to restrict its use and to change the password regularly. As with the Administrator account, you might want to rename the account as an added security precaution. - -In addition, an administrator is responsible for managing the Guest account. The administrator monitors the Guest account, disables the Guest account when it is no longer in use, and changes or removes the password as needed. - -For details about the Guest account attributes, see the following table. - -**Guest account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-501| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Guests, Domain Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## HelpAssistant account (installed with a Remote Assistance session) - - -The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending. - -HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user’s invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. - -**Security considerations** - -The SIDs that pertain to the default HelpAssistant account include: - -- SID: S-1-5-``-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note that, in Windows Server 2008, Remote Desktop Services are called Terminal Services. - -- SID: S-1-5-``-14, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used. - -For details about the HelpAssistant account attributes, see the following table. - -**HelpAssistant account attributes** - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-13 (Terminal Server User), S-1-5-``-14 (Remote Interactive Logon)| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Guests

    Guests| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - - - -## KRBTGT account - - -The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory. - -KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created. - -Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC. - -### KRBTGT account maintenance considerations - -A strong password is assigned to the KRBTGT and trust accounts automatically. Like any privileged service accounts, organizations should change these passwords on a regular schedule. The password for the KDC account is used to derive a secret key for encrypting and decrypting the TGT requests that are issued. The password for a domain trust account is used to derive an inter-realm key for encrypting referral tickets. - -Resetting the password requires you either to be a member of the Domain Admins group, or to have been delegated with the appropriate authority. In addition, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority. - -After you reset the KRBTGT password, ensure that event ID 9 in the (Kerberos) Key-Distribution-Center event source is written to the System event log. - -### Security considerations - -It is also a best practice to reset the KRBTGT account password to ensure that a newly restored domain controller does not replicate with a compromised domain controller. In this case, in a large forest recovery that is spread across multiple locations, you cannot guarantee that all domain controllers are shut down, and if they are shut down, they cannot be rebooted again before all of the appropriate recovery steps have been undertaken. After you reset the KRBTGT account, another domain controller cannot replicate this account password by using an old password. - -An organization suspecting domain compromise of the KRBTGT account should consider the use of professional incident response services. The impact to restore the ownership of the account is domain-wide and labor intensive an should be undertaken as part of a larger recovery effort. - -The KRBTGT password is the key from which all trust in Kerberos chains up to. Resetting the KRBTGT password is similar to renewing the root CA certificate with a new key and immediately not trusting the old key, resulting in almost all subsequent Kerberos operations will be affected. - -For all account types (users, computers, and services) - -- All the TGTs that are already issued and distributed will be invalid because the DCs will reject them. These tickets are encrypted with the KRBTGT so any DC can validate them. When the password changes, the tickets become invalid. - -- All currently authenticated sessions that logged on users have established (based on their service tickets) to a resource (such as a file share, SharePoint site, or Exchange server) are good until the service ticket is required to re-authenticate. - -- NTLM authenticated connections are not affected - -Because it is impossible to predict the specific errors that will occur for any given user in a production operating environment, you must assume all computers and users will be affected. - -> [!IMPORTANT] -> Rebooting a computer is the only reliable way to recover functionality as this will cause both the computer account and user accounts to log back in again. Logging in again will request new TGTs that are valid with the new KRBTGT, correcting any KRBTGT related operational issues on that computer. - -For information about how to help mitigate the risks associated with a potentially compromised KRBTGT account, see [KRBTGT Account Password Reset Scripts now available for customers](https://blogs.microsoft.com/cybertrust/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/). - -### Read-only domain controllers and the KRBTGT account - -Windows Server 2008 introduced the read-only domain controller (RODC). The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different KRBTGT account and password than the KDC on a writable domain controller when it signs or encrypts ticket-granting ticket (TGT) requests. After an account is successfully authenticated, the RODC determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC by using the Password Replication Policy. - -After the credentials are cached on the RODC, the RODC can accept that user's sign-in requests until the credentials change. When a TGT is signed with the KRBTGT account of the RODC, the RODC recognizes that it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards requests to a writable domain controller. - -### KRBTGT account attributes - -For details about the KRBTGT account attributes, see the following table. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-``-502| -|Type|User| -|Default container|CN=Users, DC=``, DC=| -|Default members|None| -|Default member of|Domain Users group. Note that the Primary Group ID of all user accounts is Domain Users.| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out, but we do not recommend it.| -|Safe to delegate management of this group to non-Service admins?|No| - -## Settings for default local accounts in Active Directory - - -Each default local account in Active Directory has a number of account settings that you can use to configure password settings and security-specific information, as described in the following table. - -**Settings for default local accounts in Active Directory** - -|Account settings|Description| -|--- |--- | -|User must change password at next logon|Forces a password change the next time that the user logs signs in to the network. Use this option when you want to ensure that the user is the only person to know his or her password.| -|User cannot change password|Prevents the user from changing the password. Use this option when you want to maintain control over a user account, such as for a Guest or temporary account.| -|Password never expires|Prevents a user password from expiring. It is a best practice to enable this option with service accounts and to use strong passwords.| -|Store passwords using reversible encryption|Provides support for applications that use protocols requiring knowledge of the plaintext form of the user’s password for authentication purposes.

    This option is required when using Challenge Handshake Authentication Protocol (CHAP) in Internet Authentication Services (IAS), and when using digest authentication in Internet Information Services (IIS).| -|Account is disabled|Prevents the user from signing in with the selected account. As an administrator, you can use disabled accounts as templates for common user accounts.| -|Smart card is required for interactive logon|Requires that a user has a smart card to sign on to the network interactively. The user must also have a smart card reader attached to their computer and a valid personal identification number (PIN) for the smart card.

    When this attribute is applied on the account, the effect is as follows:

  • The attribute only restricts initial authentication for interactive logon and Remote Desktop logon. When interactive or Remote Desktop logon requires a subsequent network logon, such as with a domain credential, an NT Hash provided by the domain controller is used to complete the smartcard authentication process
  • Each time the attribute is enabled on an account, the account’s current password hash value is replaced with a 128-bit random number. This invalidates the use of any previously configured passwords for the account. The value does not change after that unless a new password is set or the attribute is disabled and re-enabled.
  • Accounts with this attribute cannot be used to start services or run scheduled tasks.| -|Account is trusted for delegation|Lets a service running under this account perform operations on behalf of other user accounts on the network. A service running under a user account (also known as a service account) that is trusted for delegation can impersonate a client to gain access to resources, either on the computer where the service is running or on other computers. For example, in a forest that is set to the Windows Server 2003 functional level, this setting is found on the Delegation tab. It is available only for accounts that have been assigned service principal names (SPNs), which are set by using the setspn command from Windows Support Tools. This setting is security-sensitive and should be assigned cautiously.| -|Account is sensitive and cannot be delegated|Gives control over a user account, such as for a Guest account or a temporary account. This option can be used if this account cannot be assigned for delegation by another account.| -|Use DES encryption types for this account|Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including Microsoft Point-to-Point Encryption (MPPE) Standard (40-bit and 56-bit), MPPE standard (56-bit), MPPE Strong (128-bit), Internet Protocol security (IPSec) DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES).
    **Note:** DES is not enabled by default in Windows Server operating systems starting with Windows Server 2008 R2, nor in Windows client operating systems starting with Windows 7. For these operating systems, computers will not use DES-CBC-MD5 or DES-CBC-CRC cipher suites by default. If your environment requires DES, then this setting might affect compatibility with client computers or services and applications in your environment. For more information, see [Hunting down DES in order to securely deploy Kerberos](/archive/blogs/askds/hunting-down-des-in-order-to-securely-deploy-kerberos)
    | -|Do not require Kerberos preauthentication|Provides support for alternate implementations of the Kerberos protocol. Because preauthentication provides additional security, use caution when enabling this option. Note that domain controllers running Windows 2000 or Windows Server 2003 can use other mechanisms to synchronize time.| - - - -## Manage default local accounts in Active Directory - - -After the default local accounts are installed, these accounts reside in the Users container in Active Directory Users and Computers. Default local accounts can be created, disabled, reset, and deleted by using the Active Directory Users and Computers Microsoft Management Console (MMC) and by using command-line tools. - -You can use Active Directory Users and Computers to assign rights and permissions on a given local domain controller, and that domain controller only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a computer, such as backing up files and folders or shutting down a computer. In contrast, an access permission is a rule that is associated with an object, usually a file, folder, or printer, that regulates which users can have access to the object and in what manner. - -For more information about creating and managing local user accounts in Active Directory, see [Manage Local Users](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731899(v=ws.11)). - -You can also use Active Directory Users and Computers on a domain controller to target remote computers that are not domain controllers on the network. - -You can obtain recommendations from Microsoft for domain controller configurations that you can distribute by using the Security Compliance Manager (SCM) tool. For more information, see [Microsoft Security Compliance Manager](/previous-versions/tn-archive/cc677002(v=technet.10)). - -Some of the default local user accounts are protected by a background process that periodically checks and applies a specific security descriptor, which is a data structure that contains security information that is associated with a protected object. This security descriptor is present on the AdminSDHolder object. - -This means, when you want to modify the permissions on a service administrator group or on any of its member accounts, you are also required to modify the security descriptor on the AdminSDHolder object. This approach ensures that the permissions are applied consistently. Be careful when you make these modifications, because this action can also affect the default settings that are applied to all of your protected administrative accounts. - -## Restrict and protect sensitive domain accounts - - -Restricting and protecting domain accounts in your domain environment requires you to adopt and implement the following best practices approach: - -- Strictly limit membership to the Administrators, Domain Admins, and Enterprise Admins groups. - -- Stringently control where and how domain accounts are used. - -Member accounts in the Administrators, Domain Admins, and Enterprise Admins groups in a domain or forest are high-value targets for malicious users. It is a best practice to strictly limit membership to these administrator groups to the smallest number of accounts in order to limit any exposure. Restricting membership in these groups reduces the possibility that an administrator might unintentionally misuse these credentials and create a vulnerability that malicious users can exploit. - -Moreover, it is a best practice to stringently control where and how sensitive domain accounts are used. Restrict the use of Domain Admins accounts and other administrator accounts to prevent them from being used to sign in to management systems and workstations that are secured at the same level as the managed systems. When administrator accounts are not restricted in this manner, each workstation from which a domain administrator signs in provides another location that malicious users can exploit. - -Implementing these best practices is separated into the following tasks: - -- [Separate administrator accounts from user accounts](#task1-separate-admin-accounts) - -- [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - -- [Restrict administrator logon access to servers and workstations](#task3-restrict-admin-logon) - -- [Disable the account delegation right for administrator accounts](#task4-disable-account-delegation) - -Note that, to provide for instances where integration challenges with the domain environment are expected, each task is described according to the requirements for a minimum, better, and ideal implementation. As with all significant changes to a production environment, ensure that you test these changes thoroughly before you implement and deploy them. Then stage the deployment in a manner that allows for a rollback of the change in case technical issues occur. - -### Separate administrator accounts from user accounts - -Restrict Domain Admins accounts and other sensitive accounts to prevent them from being used to sign in to lower trust servers and workstations. Restrict and protect administrator accounts by segregating administrator accounts from standard user accounts, by separating administrative duties from other tasks, and by limiting the use of these accounts. Create dedicated accounts for administrative personnel who require administrator credentials to perform specific administrative tasks, and then create separate accounts for other standard user tasks, according to the following guidelines: - -- **Privileged account**. Allocate administrator accounts to perform the following administrative duties only: - - - **Minimum**. Create separate accounts for domain administrators, enterprise administrators, or the equivalent with appropriate administrator rights in the domain or forest. Use accounts that have been granted sensitive administrator rights only to administer domain data and domain controllers. - - - **Better**. Create separate accounts for administrators that have reduced administrative rights, such as accounts for workstation administrators, and accounts with user rights over designated Active Directory organizational units (OUs). - - - **Ideal**. Create multiple, separate accounts for an administrator who has a variety of job responsibilities that require different trust levels. Set up each administrator account with significantly different user rights, such as for workstation administration, server administration and domain administration, to let the administrator sign in to given workstations, servers and domain controllers based strictly on his or her job responsibilities. - -- **Standard user account**. Grant standard user rights for standard user tasks, such as email, web browsing, and using line-of-business (LOB) applications. These accounts should not be granted administrator rights. - -> [!IMPORTANT] -> Ensure that sensitive administrator accounts cannot access email or browse the Internet as described in the following section. - - - -### Create dedicated workstation hosts without Internet and email access - -Administrators need to manage job responsibilities that require sensitive administrator rights from a dedicated workstation because they do not have easy physical access to the servers. A workstation that is connected to the Internet and has email and web browsing access is regularly exposed to compromise through phishing, downloading, and other types of Internet attacks. Because of these threats, it is a best practice to set these administrators up by using workstations that are dedicated to administrative duties only, and not provide access to the Internet, including email and web browsing. For more information, see [Separate administrator accounts from user accounts](#task1-separate-admin-accounts). - -> [!NOTE] -> If the administrators in your environment can sign in locally to managed servers and perform all tasks without elevated rights or domain rights from their workstation, you can skip this task. - - - -- **Minimum**. Build dedicated administrative workstations and block Internet access on those workstations including web browsing and email. Use the following ways to block Internet access: - - - Configure authenticating boundary proxy services, if they are deployed, to disallow administrator accounts from accessing the Internet. - - - Configure boundary firewall or proxy services to disallow Internet access for the IP addresses that are assigned to dedicated administrative workstations. - - - Block outbound access to the boundary proxy servers in the Windows Firewall. - - The instructions for meeting this minimum requirement are described in the following procedure. - -- **Better**. Do not grant administrators membership in the local Administrator group on the computer in order to restrict the administrator from bypassing these protections. - -- **Ideal**. Restrict workstations from having any network connectivity, except for the domain controllers and servers that the administrator accounts are used to manage. Alternately, use AppLocker application control policies to restrict all applications from running, except for the operating system and approved administrative tools and applications. For more information about AppLocker, see [AppLocker](/windows/device-security/applocker/applocker-overview). - -The following procedure describes how to block Internet access by creating a Group Policy Object (GPO) that configures an invalid proxy address on administrative workstations. These instructions apply only to computers running Internet Explorer and other Windows components that use these proxy settings. - -> [!NOTE] -> In this procedure, the workstations are dedicated to domain administrators. By simply modifying the administrator accounts to grant permission to administrators to sign in locally, you can create additional OUs to manage administrators that have fewer administrative rights to use the instructions described in the following procedure. - -**To install administrative workstations in a domain and block Internet and email access (minimum)** - -1. As a domain administrator on a domain controller, open Active Directory Users and Computers, and create a new OU for administrative workstations. - -2. Create computer accounts for the new workstations. - - > [!NOTE] - > You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx). - - ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif) - -3. Close Active Directory Users and Computers. - -4. Start the **Group Policy Management** Console (GPMC). - -5. Right-click the new OU, and > **Create a GPO in this domain, and Link it here**. - - ![Active Directory's local accounts](images/adlocalaccounts-proc1-sample2.png) - -6. Name the GPO, and > **OK**. - -7. Expand the GPO, right-click the new GPO, and > **Edit**. - - ![Active Directory (AD) local accounts](images/adlocalaccounts-proc1-sample3.png) - -8. Configure which members of accounts can log on locally to these administrative workstations as follows: - - 1. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**. - - 2. Double-click **Allow log on locally**, and then select the **Define these policy settings** check box. - - 3. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 4. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - > [!IMPORTANT] - > These instructions assume that the workstation is to be dedicated to domain administrators. - - - - 5. Click **Add User or Group**, type **Administrators**, and > **OK**. - - ![AD local accounts](images/adlocalaccounts-proc1-sample4.png) - -9. Configure the proxy configuration: - - 1. Navigate to User Configuration\\Policies\\Windows Settings\\Internet Explorer, and > **Connection**. - - 2. Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and > **OK**. - - ![AD's local accounts](images/adlocalaccounts-proc1-sample5.png) - -10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\System, and > **Group Policy**. - - 2. Double-click **User Group Policy loopback policy processing mode**, and > **Enabled**. - - 3. Select **Merge Mode**, and > **OK**. - -11. Configure software updates as follows: - - 1. Navigate to Computer Configuration\\Policies\\Administrative Templates\\Windows Components, and then click **Windows Update**. - - 2. Configure Windows Update settings as described in the following table. - - |Windows Update Setting|Configuration| - |--- |--- | - |Allow Automatic Updates immediate installation|Enabled| - |Configure Automatic Updates|Enabled4 - Auto download and schedule the installation0 - Every day 03:00| - |Enable Windows Update Power Management to automatically wake up the system to install scheduled updates|Enabled| - |Specify intranet Microsoft Update service location|Enabled `http:// http://` Where `` is the DNS name or IP address of the Windows Server Update Services (WSUS) in the environment.| - |Automatic Updates detection frequency|6 hours| - |Re-prompt for restart with scheduled installations|1 minute| - |Delay restart for scheduled installations|5 minutes| - - > [!NOTE] - > This step assumes that Windows Server Update Services (WSUS) is installed and configured in the environment. You can skip this step if you use another tool to deploy software updates. Also, if the public Microsoft Windows Update service only is used on the Internet, then these administrative workstations no longer receive updates. - -12. Configure the inbound firewall to block all connections as follows: - - 1. Right-click **Windows Firewall with Advanced Security LDAP://path**, and > **Properties**. - - ![Local accounts for Active Directory](images/adlocalaccounts-proc1-sample6.png) - - 2. On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**. - - ![Local accounts for an AD](images/adlocalaccounts-proc1-sample7.png) - - 3. Click **OK** to complete the configuration. - -13. Close the Group Policy Management Console. - -14. Install the Windows operating system on the workstations, give each workstation the same names as the computer accounts assigned to them, and then join them to the domain. - -### Restrict administrator logon access to servers and workstations - -It is a best practice to restrict administrators from using sensitive administrator accounts to sign in to lower-trust servers and workstations. This restriction prevents administrators from inadvertently increasing the risk of credential theft by signing in to a lower-trust computer. - -> [!IMPORTANT] -> Ensure that you either have local access to the domain controller or that you have built at least one dedicated administrative workstation. - - - -Restrict logon access to lower-trust servers and workstations by using the following guidelines: - -- **Minimum**. Restrict domain administrators from having logon access to servers and workstations. Before starting this procedure, identify all OUs in the domain that contain workstations and servers. Any computers in OUs that are not identified will not restrict administrators with sensitive accounts from signing-in to them. - -- **Better**. Restrict domain administrators from non-domain controller servers and workstations. - -- **Ideal**. Restrict server administrators from signing in to workstations, in addition to domain administrators. - -> [!NOTE] -> For this procedure, do not link accounts to the OU that contain workstations for administrators that perform administration duties only, and do not provide Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations) - - - -**To restrict domain administrators from workstations (minimum)** - -1. As a domain administrator, open the Group Policy Management Console (GPMC). - -2. Open **Group Policy Management**, and expand *<forest>*\\Domains\\``, and then expand to **Group Policy Objects**. - -3. Right-click **Group Policy Objects**, and > **New**. - - ![Local account's representation - Active Directory](images/adlocalaccounts-proc2-sample1.png) - -4. In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and > **OK**. - - ![Local account's representation - AD](images/adlocalaccounts-proc2-sample2.png) - -5. Right-click **New GPO**, and > **Edit**. - -6. Configure user rights to deny logon locally for domain administrators. - -7. Navigate to Computer Configuration\\Policies\\Windows Settings\\Local Policies, and then click **User Rights Assignment**, and perform the following: - - 1. Double-click **Deny logon locally**, and > **Define these policy settings**. - - 2. Click **Add User or Group**, click **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group**, click **Browse**, type **Domain Admins**, and > **OK**. - - ![An Active Directory's local accounts](images/adlocalaccounts-proc2-sample3.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Click **OK** to complete the configuration. - -8. Configure the user rights to deny batch and service logon rights for domain administrators as follows: - - > [!NOTE] - > Completing this step might cause issues with administrator tasks that run as scheduled tasks or services with accounts in the Domain Admins group. The practice of using domain administrator accounts to run services and tasks on workstations creates a significant risk of credential theft attacks and therefore should be replaced with alternative means to run scheduled tasks or services. - - - - 1. Double-click **Deny logon as a batch job**, and > **Define these policy settings**. - - 2. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 3. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![An AD's local accounts](images/adlocalaccounts-proc2-sample4.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - - 4. Double-click **Deny logon as a service**, and > **Define these policy settings**. - - 5. Click **Add User or Group** > **Browse**, type **Enterprise Admins**, and > **OK**. - - 6. Click **Add User or Group** > **Browse**, type **Domain Admins**, and > **OK**. - - ![Local accounts for AD](images/adlocalaccounts-proc2-sample5.png) - - > [!NOTE] - > You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations. - - - -9. Link the GPO to the first Workstations OU. - - Navigate to the *<forest>*\\Domains\\``\\OU Path, and then: - - 1. Right-click the workstation OU, and then > **Link an Existing GPO**. - - ![Local accounts representation for an Active Directory](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory's local accounts' presentation](images/adlocalaccounts-proc2-sample7.png) -======= - ![Active Directory local accounts 13](images/adlocalaccounts-proc2-sample6.png) - - 2. Select the GPO that you just created, and > **OK**. - - ![Active Directory local accounts 14](images/adlocalaccounts-proc2-sample7.png) - -10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy. - -11. Link all other OUs that contain workstations. - - However, do not create a link to the Administrative Workstation OU if it is created for administrative workstations that are dedicated to administration duties only, and that are without Internet or email access. For more information, see [Create dedicated workstation hosts for administrators](#task2-admin-workstations). - - > [!IMPORTANT] - > If you later extend this solution, do not deny logon rights for the **Domain Users** group. The **Domain Users** group includes all user accounts in the domain, including Users, Domain Administrators, and Enterprise Administrators. - - - -### Disable the account delegation right for sensitive administrator accounts - -Although user accounts are not marked for delegation by default, accounts in an Active Directory domain can be trusted for delegation. This means that a service or a computer that is trusted for delegation can impersonate an account that authenticates to them to access other resources across the network. - -For sensitive accounts, such as those belonging to members of the Administrators, Domain Admins, or Enterprise Admins groups in Active Directory, delegation can present a substantial risk of rights escalation. For example, if an account in the Domain Admins group is used to sign in to a compromised member server that is trusted for delegation, that server can request access to resources in the context of the Domain Admins account, and escalate the compromise of that member server to a domain compromise. - -It is a best practice to configure the user objects for all sensitive accounts in Active Directory by selecting the **Account is sensitive and cannot be delegated** check box under **Account options** to prevent these accounts from being delegated. For more information, see [Setting for default local accounts in Active Directory](#sec-account-settings). - -As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it. - -![An Active Directory local accounts' presentation](images/adlocalaccounts-proc3-sample1.png) - -## Secure and manage domain controllers - - -It is a best practice to strictly enforce restrictions on the domain controllers in your environment. This ensures that the domain controllers: - -1. Run only required software - -2. Required software is regularly updated - -3. Are configured with the appropriate security settings - -One aspect of securing and managing domain controllers is to ensure that the default local user accounts are fully protected. It is of primary importance to restrict and secure all sensitive domain accounts, as described in the preceding sections. - -Because domain controllers store credential password hashes of all accounts in the domain, they are high-value targets for malicious users. When domain controllers are not well managed and secured by using restrictions that are strictly enforced, they can be compromised by malicious users. For example, a malicious user could steal sensitive domain administrator credentials from one domain controller, and then use these credentials to attack the domain and forest. - -In addition, installed applications and management agents on domain controllers might provide a path for escalating rights that malicious users can use to compromise the management service or administrators of that service. The management tools and services, which your organization uses to manage domain controllers and their administrators, are equally important to the security of the domain controllers and the domain administrator accounts. Ensure that these services and administrators are fully secured with equal effort. - -## See also - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md deleted file mode 100644 index 7a469d0fc0..0000000000 --- a/windows/security/identity-protection/access-control/active-directory-security-groups.md +++ /dev/null @@ -1,1431 +0,0 @@ ---- -title: Active Directory Security Groups -description: Active Directory Security Groups -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 09/21/2021 ---- - -# Active Directory Security Groups - -**Applies to** -- Windows Server 2016 or later -- Windows 10 or later - -This reference topic for the IT professional describes the default Active Directory security groups. - -## - - -There are two forms of common security principals in Active Directory: user accounts and computer accounts. These accounts represent a physical entity (a person or a computer). User accounts can also be used as dedicated service accounts for some applications. Security groups are used to collect user accounts, computer accounts, and other groups into manageable units. - -In the Windows Server operating system, there are several built-in accounts and security groups that are preconfigured with the appropriate rights and permissions to perform specific tasks. For Active Directory, there are two types of administrative responsibilities: - -- **Service administrators**   Responsible for maintaining and delivering Active Directory Domain Services (AD DS), including managing domain controllers and configuring the AD DS. - -- **Data administrators**   Responsible for maintaining the data that is stored in AD DS and on domain member servers and workstations. - -## About Active Directory groups - - -Groups are used to collect user accounts, computer accounts, and other groups into manageable units. Working with groups instead of with individual users helps simplify network maintenance and administration. - -There are two types of groups in Active Directory: - -- **Distribution groups** Used to create email distribution lists. - -- **Security groups** Used to assign permissions to shared resources. - -### Distribution groups - -Distribution groups can be used only with email applications (such as Exchange Server) to send email to collections of users. Distribution groups are not security enabled, which means that they cannot be listed in discretionary access control lists (DACLs). - -### Security groups - -Security groups can provide an efficient way to assign access to resources on your network. By using security groups, you can: - -- Assign user rights to security groups in Active Directory. - - User rights are assigned to a security group to determine what members of that group can do within the scope of a domain or forest. User rights are automatically assigned to some security groups when Active Directory is installed to help administrators define a person’s administrative role in the domain. - - For example, a user who is added to the Backup Operators group in Active Directory has the ability to back up and restore files and directories that are located on each domain controller in the domain. This is possible because, by default, the user rights **Backup files and directories** and **Restore files and directories** are automatically assigned to the Backup Operators group. Therefore, members of this group inherit the user rights that are assigned to that group. - - You can use Group Policy to assign user rights to security groups to delegate specific tasks. For more information about using Group Policy, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -- Assign permissions to security groups for resources. - - Permissions are different than user rights. Permissions are assigned to the security group for the shared resource. Permissions determine who can access the resource and the level of access, such as Full Control. Some permissions that are set on domain objects are automatically assigned to allow various levels of access to default security groups, such as the Account Operators group or the Domain Admins group. - - Security groups are listed in DACLs that define permissions on resources and objects. When assigning permissions for resources (file shares, printers, and so on), administrators should assign those permissions to a security group rather than to individual users. The permissions are assigned once to the group, instead of several times to each individual user. Each account that is added to a group receives the rights that are assigned to that group in Active Directory, and the user receives the permissions that are defined for that group. - -Like distribution groups, security groups can be used as an email entity. Sending an email message to the group sends the message to all the members of the group. - -### Group scope - -Groups are characterized by a scope that identifies the extent to which the group is applied in the domain tree or forest. The scope of the group defines where the group can be granted permissions. The following three group scopes are defined by Active Directory: - -- Universal - -- Global - -- Domain Local - -> [!NOTE] -> In addition to these three scopes, the default groups in the **Builtin** container have a group scope of Builtin Local. This group scope and group type cannot be changed. - - - -The following table lists the three group scopes and more information about each scope for a security group. - -**Group scopes** - -|Scope|Possible Members|Scope Conversion|Can Grant Permissions|Possible Member of| -|--- |--- |--- |--- |--- | -|Universal|Accounts from any domain in the same forest

    Global groups from any domain in the same forest

    Other Universal groups from any domain in the same forest|Can be converted to

    Domain Local scope if the group is not a member of any other Universal groups

    Can be converted to Global scope if the group does not contain any other Universal groups|On any domain in the same forest or trusting forests|Other Universal groups in the same forest

    Domain

    Local groups in the same forest or trusting forests

    Local groups on computers in the same forest or trusting forests| -|Global|Accounts from the same domain

    Other Global groups from the same domain|Can be converted to Universal scope if the group is not a member of any other global group|On any domain in the same forest, or trusting domains or forests|Universal groups from any domain in the same forest

    Other Global groups from the same domain

    Domain Local groups from any domain in the same forest, or from any trusting domain| -|Domain Local|Accounts from any domain or any trusted domain

    Global groups from any domain or any trusted domain

    Universal groups from any domain in the same forest

    Other Domain Local groups from the same domain

    Accounts, Global groups, and Universal groups from other forests and from external domains|Can be converted to Universal scope if the group does not contain any other Domain Local groups|Within the same domain|Other Domain Local groups from the same domain

    Local groups on computers in the same domain, excluding built-in groups that have well-known SIDs| - -### Special identity groups - -Special identities are generally referred to as groups. Special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. Some of these groups include Creator Owner, Batch, and Authenticated User. - -For information about all the special identity groups, see [Special Identities](special-identities.md). - -## Default security groups - - -Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these predefined groups to help control access to shared resources and to delegate specific domain-wide administrative roles. - -Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers in the domain. - -When you add a user to a group, the user receives all the user rights that are assigned to the group and all the permissions that are assigned to the group for any shared resources. - -Default groups are located in the **Builtin** container and in the **Users** container in Active Directory Users and Computers. The **Builtin** container includes groups that are defined with the Domain Local scope. The **Users** includes contains groups that are defined with Global scope and groups that are defined with Domain Local scope. You can move groups that are located in these containers to other groups or organizational units (OU) within the domain, but you cannot move them to other domains. - -Some of the administrative groups that are listed in this topic and all members of these groups are protected by a background process that periodically checks for and applies a specific security descriptor. This descriptor is a data structure that contains security information associated with a protected object. This process ensures that any successful unauthorized attempt to modify the security descriptor on one of the administrative accounts or groups will be overwritten with the protected settings. - -The security descriptor is present on the **AdminSDHolder** object. This means that if you want to modify the permissions on one of the service administrator groups or on any of its member accounts, you must modify the security descriptor on the **AdminSDHolder** object so that it will be applied consistently. Be careful when you make these modifications because you are also changing the default settings that will be applied to all of your protected administrative accounts. - -### Active Directory default security groups by operating system version - -The following tables provide descriptions of the default groups that are located in the **Builtin** and **Users** containers in each operating system. - -|Default Security Group|Windows Server 2016|Windows Server 2012 R2|Windows Server 2012|Windows Server 2008 R2| -|--- |--- |--- |--- |--- | -|[Access Control Assistance Operators](#bkmk-acasstops)|Yes|Yes|Yes|| -|[Account Operators](#bkmk-accountoperators)|Yes|Yes|Yes|Yes| -|[Administrators](#bkmk-admins)|Yes|Yes|Yes|Yes| -|[Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Backup Operators](#bkmk-backupoperators)|Yes|Yes|Yes|Yes| -|[Certificate Service DCOM Access](#bkmk-certificateservicedcomaccess)|Yes|Yes|Yes|Yes| -|[Cert Publishers](#bkmk-certpublishers)|Yes|Yes|Yes|Yes| -|[Cloneable Domain Controllers](#bkmk-cloneabledomaincontrollers)|Yes|Yes|Yes|| -|[Cryptographic Operators](#bkmk-cryptographicoperators)|Yes|Yes|Yes|Yes| -|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)|Yes|Yes|Yes|Yes| -|[Device Owners](#bkmk-device-owners)|Yes|Yes|Yes|Yes| -|[Distributed COM Users](#bkmk-distributedcomusers)|Yes|Yes|Yes|Yes| -|[DnsUpdateProxy](#bkmk-dnsupdateproxy)|Yes|Yes|Yes|Yes| -|[DnsAdmins](#bkmk-dnsadmins)|Yes|Yes|Yes|Yes| -|[Domain Admins](#bkmk-domainadmins)|Yes|Yes|Yes|Yes| -|[Domain Computers](#bkmk-domaincomputers)|Yes|Yes|Yes|Yes| -|[Domain Controllers](#bkmk-domaincontrollers)|Yes|Yes|Yes|Yes| -|[Domain Guests](#bkmk-domainguests)|Yes|Yes|Yes|Yes| -|[Domain Users](#bkmk-domainusers)|Yes|Yes|Yes|Yes| -|[Enterprise Admins](#bkmk-entadmins)|Yes|Yes|Yes|Yes| -|[Enterprise Key Admins](#enterprise-key-admins)|Yes|||| -|[Enterprise Read-only Domain Controllers](#bkmk-entrodc)|Yes|Yes|Yes|Yes| -|[Event Log Readers](#bkmk-eventlogreaders)|Yes|Yes|Yes|Yes| -|[Group Policy Creator Owners](#bkmk-gpcreatorsowners)|Yes|Yes|Yes|Yes| -|[Guests](#bkmk-guests)|Yes|Yes|Yes|Yes| -|[Hyper-V Administrators](#bkmk-hypervadministrators)|Yes|Yes|Yes|| -|[IIS_IUSRS](#bkmk-iis-iusrs)|Yes|Yes|Yes|Yes| -|[Incoming Forest Trust Builders](#bkmk-inforesttrustbldrs)|Yes|Yes|Yes|Yes| -|[Key Admins](#key-admins)|Yes|||| -|[Network Configuration Operators](#bkmk-networkcfgoperators)|Yes|Yes|Yes|Yes| -|[Performance Log Users](#bkmk-perflogusers)|Yes|Yes|Yes|Yes| -|[Performance Monitor Users](#bkmk-perfmonitorusers)|Yes|Yes|Yes|Yes| -|[Pre–Windows 2000 Compatible Access](#bkmk-pre-ws2kcompataccess)|Yes|Yes|Yes|Yes| -|[Print Operators](#bkmk-printoperators)|Yes|Yes|Yes|Yes| -|[Protected Users](#bkmk-protectedusers)|Yes|Yes||| -|[RAS and IAS Servers](#bkmk-rasandias)|Yes|Yes|Yes|Yes| -|[RDS Endpoint Servers](#bkmk-rdsendpointservers)|Yes|Yes|Yes|| -|[RDS Management Servers](#bkmk-rdsmanagementservers)|Yes|Yes|Yes|| -|[RDS Remote Access Servers](#bkmk-rdsremoteaccessservers)|Yes|Yes|Yes|| -|[Read-only Domain Controllers](#bkmk-rodc)|Yes|Yes|Yes|Yes| -|[Remote Desktop Users](#bkmk-remotedesktopusers)|Yes|Yes|Yes|Yes| -|[Remote Management Users](#bkmk-remotemanagementusers)|Yes|Yes|Yes|| -|[Replicator](#bkmk-replicator)|Yes|Yes|Yes|Yes| -|[Schema Admins](#bkmk-schemaadmins)|Yes|Yes|Yes|Yes| -|[Server Operators](#bkmk-serveroperators)|Yes|Yes|Yes|Yes| -|[Storage Replica Administrators](#storage-replica-administrators)|Yes|||| -|[System Managed Accounts Group](#system-managed-accounts-group)|Yes|||| -|[Terminal Server License Servers](#bkmk-terminalserverlic)|Yes|Yes|Yes|Yes| -|[Users](#bkmk-users)|Yes|Yes|Yes|Yes| -|[Windows Authorization Access Group](#bkmk-winauthaccess)|Yes|Yes|Yes|Yes| -|[WinRMRemoteWMIUsers_](#bkmk-winrmremotewmiusers-)||Yes|Yes|| - -### Access Control Assistance Operators - -Members of this group can remotely query authorization attributes and permissions for resources on the computer. - -The Access Control Assistance Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-579| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Account Operators - -The Account Operators group grants limited account creation privileges to a user. Members of this group can create and modify most types of accounts, including those of users, local groups, and global groups, and members can log in locally to domain controllers. - -Members of the Account Operators group cannot manage the Administrator user account, the user accounts of administrators, or the [Administrators](#bkmk-admins), [Server Operators](#bkmk-serveroperators), [Account Operators](#bkmk-accountoperators), [Backup Operators](#bkmk-backupoperators), or [Print Operators](#bkmk-printoperators) groups. Members of this group cannot modify user rights. - -The Account Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> By default, this built-in group has no members, and it can create and manage users and groups in the domain, including its own membership and that of the Server Operators group. This group is considered a service administrator group because it can modify Server Operators, which in turn can modify domain controller settings. As a best practice, leave the membership of this group empty, and do not use it for any delegated administration. This group cannot be renamed, deleted, or moved. - - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-548| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - - - -### Administrators - -Members of the Administrators group have complete and unrestricted access to the computer, or if the computer is promoted to a domain controller, members have unrestricted access to the domain. - -The Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> The Administrators group has built-in capabilities that give its members full control over the system. This group cannot be renamed, deleted, or moved. This built-in group controls access to all the domain controllers in its domain, and it can change the membership of all administrative groups. - -Membership can be modified by members of the following groups: the default service Administrators, Domain Admins in the domain, or Enterprise Admins. This group has the special privilege to take ownership of any object in the directory or any resource on a domain controller. This account is considered a service administrator group because its members have full access to the domain controllers in the domain. - - - -This security group includes the following changes since Windows Server 2008: - -- Default user rights changes: **Allow log on through Terminal Services** existed in Windows Server 2008, and it was replaced by [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services). - -- [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station) was removed in Windows Server 2012 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-544| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|Administrator, Domain Admins, Enterprise Admins| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Allow log on through Remote Desktop Services](/windows/device-security/security-policy-settings/allow-log-on-through-remote-desktop-services): SeRemoteInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

    [Create a pagefile](/windows/device-security/security-policy-settings/create-a-pagefile): SeCreatePagefilePrivilege

    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege

    [Create symbolic links](/windows/device-security/security-policy-settings/create-symbolic-links): SeCreateSymbolicLinkPrivilege

    [Debug programs](/windows/device-security/security-policy-settings/debug-programs): SeDebugPrivilege

    [Enable computer and user accounts to be trusted for delegation](/windows/device-security/security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation): SeEnableDelegationPrivilege

    [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege

    [Increase scheduling priority](/windows/device-security/security-policy-settings/increase-scheduling-priority): SeIncreaseBasePriorityPrivilege

    [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

    [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

    [Manage auditing and security log](/windows/device-security/security-policy-settings/manage-auditing-and-security-log): SeSecurityPrivilege

    [Modify firmware environment values](/windows/device-security/security-policy-settings/modify-firmware-environment-values): SeSystemEnvironmentPrivilege

    [Perform volume maintenance tasks](/windows/device-security/security-policy-settings/perform-volume-maintenance-tasks): SeManageVolumePrivilege

    [Profile system performance](/windows/device-security/security-policy-settings/profile-system-performance): SeSystemProfilePrivilege

    [Profile single process](/windows/device-security/security-policy-settings/profile-single-process): SeProfileSingleProcessPrivilege

    [Remove computer from docking station](/windows/device-security/security-policy-settings/remove-computer-from-docking-station): SeUndockPrivilege

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege

    [Take ownership of files or other objects](/windows/device-security/security-policy-settings/take-ownership-of-files-or-other-objects): SeTakeOwnershipPrivilege| - -### Allowed RODC Password Replication Group - -The purpose of this security group is to manage a RODC password replication policy. This group has no members by default, and it results in the condition that new Read-only domain controllers do not cache user credentials. The [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl) group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication group supersedes the Allowed RODC Password Replication group. - -The Allowed RODC Password Replication group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-571| -|Type|Domain local| -|Default container|CN=Users DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Backup Operators - -Members of the Backup Operators group can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to and shut down the computer. This group cannot be renamed, deleted, or moved. By default, this built-in group has no members, and it can perform backup and restore operations on domain controllers. Its membership can be modified by the following groups: default service Administrators, Domain Admins in the domain, or Enterprise Admins. It cannot modify the membership of any administrative groups. While members of this group cannot change server settings or modify the configuration of the directory, they do have the permissions needed to replace files (including operating system files) on domain controllers. Because of this, members of this group are considered service administrators. - -The Backup Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-551| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - - - -### Certificate Service DCOM Access - -Members of this group are allowed to connect to certification authorities in the enterprise. - -The Certificate Service DCOM Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-<domain>-574| -|Type|Domain Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Cert Publishers - -Members of the Cert Publishers group are authorized to publish certificates for User objects in Active Directory. - -The Cert Publishers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-517| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Cloneable Domain Controllers - -Members of the Cloneable Domain Controllers group that are domain controllers may be cloned. In Windows Server 2012 R2 and Windows Server 2012, you can deploy domain controllers by copying an existing virtual domain controller. In a virtual environment, you no longer have to repeatedly deploy a server image that is prepared by using sysprep.exe, promote the server to a domain controller, and then complete additional configuration requirements for deploying each domain controller (including adding the virtual domain controller to this security group). - -For more information, see [Introduction to Active Directory Domain Services (AD DS) Virtualization (Level 100)](/windows-server/identity/ad-ds/introduction-to-active-directory-domain-services-ad-ds-virtualization-level-100). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-522| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Cryptographic Operators - -Members of this group are authorized to perform cryptographic operations. This security group was added in Windows Vista Service Pack 1 (SP1) to configure Windows Firewall for IPsec in Common Criteria mode. - -The Cryptographic Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group was introduced in Windows Vista Service Pack 1, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-569| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - - -### Denied RODC Password Replication Group - -Members of the Denied RODC Password Replication group cannot have their passwords replicated to any Read-only domain controller. - -The purpose of this security group is to manage a RODC password replication policy. This group contains a variety of high-privilege accounts and security groups. The Denied RODC Password Replication Group supersedes the [Allowed RODC Password Replication Group](#bkmk-allowedrodcpwdrepl). - -This security group includes the following changes since Windows Server 2008: - -- Windows Server 2012 changed the default members to include [Cert Publishers](#bkmk-certpublishers). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-572| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|[Cert Publishers](#bkmk-certpublishers)

    [Domain Admins](#bkmk-domainadmins)

    [Domain Controllers](#bkmk-domaincontrollers)

    [Enterprise Admins](#bkmk-entadmins)

    Group Policy Creator Owners

    [Read-only Domain Controllers](#bkmk-rodc)

    [Schema Admins](#bkmk-schemaadmins)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### Device Owners -This group is not currently used in Windows. - -Microsoft does not recommend changing the default configuration where this security group has zero members. Changing the default configuration could hinder future scenarios that rely on this group. - -The Device Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-583| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege| - -### Distributed COM Users - -Members of the Distributed COM Users group are allowed to launch, activate, and use Distributed COM objects on the computer. Microsoft Component Object Model (COM) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. Distributed Component Object Model (DCOM) allows applications to be distributed across locations that make the most sense to you and to the application. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Distributed COM Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-562| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsUpdateProxy - -Members of the DnsUpdateProxy group are DNS clients. They are permitted to perform dynamic updates on behalf of other clients (such as DHCP servers). A DNS server can develop stale resource records when a DHCP server is configured to dynamically register host (A) and pointer (PTR) resource records on behalf of DHCP clients by using dynamic update. Adding clients to this security group mitigates this scenario. - -However, to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated user account and configure DHCP servers to perform DNS dynamic updates by using the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For information, see [DNS Record Ownership and the DnsUpdateProxy Group](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd334715(v=ws.10)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### DnsAdmins - -Members of DNSAdmins group have access to network DNS information. The default permissions are as follows: Allow: Read, Write, Create All Child objects, Delete Child objects, Special Permissions. This group exists only if the DNS server role is or was once installed on a domain controller in the domain. - -For more information about security and DNS, see [DNSSEC in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn593694(v=ws.11)). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Domain Admins - -Members of the Domain Admins security group are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. The Domain Admins group is the default owner of any object that is created in Active Directory for the domain by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group. - -The Domain Admins group controls access to all domain controllers in a domain, and it can modify the membership of all administrative accounts in the domain. Membership can be modified by members of the service administrator groups in its domain (Administrators and Domain Admins), and by members of the Enterprise Admins group. This is considered a service administrator account because its members have full access to the domain controllers in a domain. - -The Domain Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-512| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins)

    [Denied RODC Password ReplicationGroup](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

    See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - - - -### Domain Computers - -This group can include all computers and servers that have joined the domain, excluding domain controllers. By default, any computer account that is created automatically becomes a member of this group. - -The Domain Computers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-515| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|All computers joined to the domain, excluding domain controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes (but not required)| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Domain Controllers - -The Domain Controllers group can include all domain controllers in the domain. New domain controllers are automatically added to this group. - -The Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-516| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Computer accounts for all domain controllers of the domain| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Domain Guests - -The Domain Guests group includes the domain’s built-in Guest account. When members of this group sign in as local guests on a domain-joined computer, a domain profile is created on the local computer. - -The Domain Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-514| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Guest| -|Default member of|[Guests](#bkmk-guests)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Can be moved out but it is not recommended| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Guests](#bkmk-guests)| - -### Domain Users - -The Domain Users group includes all user accounts in a domain. When you create a user account in a domain, it is automatically added to this group. - -By default, any user account that is created in the domain automatically becomes a member of this group. This group can be used to represent all users in the domain. For example, if you want all domain users to have access to a printer, you can assign permissions for the printer to this group (or add the Domain Users group to a local group on the print server that has permissions for the printer). - -The Domain Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-513| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator -krbtgt| -|Default member of|[Users](#bkmk-users)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Users](#bkmk-users)| - -### Enterprise Admins - -The Enterprise Admins group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. Members of this group are authorized to make forest-wide changes in Active Directory, such as adding child domains. - -By default, the only member of the group is the Administrator account for the forest root domain. This group is automatically added to the Administrators group in every domain in the forest, and it provides complete access for configuring all domain controllers. Members in this group can modify the membership of all administrative groups. Membership can be modified only by the default service administrator groups in the root domain. This is considered a service administrator account. - -The Enterprise Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-519| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Administrators](#bkmk-admins) -[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Administrators](#bkmk-admins)

    See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Enterprise Key Admins - -Members of this group can perform administrative actions on key objects within the forest. - -The Enterprise Key Admins group was introduced in Windows Server 2016. - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-527 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - -### Enterprise Read-Only Domain Controllers - -Members of this group are Read-Only Domain Controllers in the enterprise. Except for account passwords, a Read-only domain controller holds all the Active Directory objects and attributes that a writable domain controller holds. However, changes cannot be made to the database that is stored on the Read-only domain controller. Changes must be made on a writable domain controller and then replicated to the Read-only domain controller. - -Read-only domain controllers address some of the issues that are commonly found in branch offices. These locations might not have a domain controller. Or, they might have a writable domain controller, but not the physical security, network bandwidth, or local expertise to support it. - -For more information, see [What Is an RODC?](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc771030(v=ws.10)). - -The Enterprise Read-Only Domain Controllers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-498| -|Type|Universal| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Event Log Readers - -Members of this group can read event logs from local computers. The group is created when the server is promoted to a domain controller. - -The Event Log Readers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-573| -|Type|Domain Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Group Policy Creator Owners - -This group is authorized to create, edit, or delete Group Policy Objects in the domain. By default, the only member of the group is Administrator. - -For information about other features you can use with this security group, see [Group Policy Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831791(v=ws.11)). - -The Group Policy Creator Owners group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-520| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|No| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Guests - -Members of the Guests group have the same access as members of the Users group by default, except that the Guest account has further restrictions. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to sign in with limited privileges to a computer’s built-in Guest account. - -When a member of the Guests group signs out, the entire profile is deleted. This includes everything that is stored in the **%userprofile%** directory, including the user's registry hive information, custom desktop icons, and other user-specific settings. This implies that a guest must use a temporary profile to sign in to the system. This security group interacts with the Group Policy setting **Do not logon users with temporary profiles** when it is enabled. This setting is located under the following path: - -Computer Configuration\\Administrative Templates\\System\\User Profiles - -> [!NOTE] -> A Guest account is a default member of the Guests security group. People who do not have an actual account in the domain can use the Guest account. A user whose account is disabled (but not deleted) can also use the Guest account. - -The Guest account does not require a password. You can set rights and permissions for the Guest account as in any user account. By default, the Guest account is a member of the built-in Guests group and the Domain Guests global group, which allows a user to sign in to a domain. The Guest account is disabled by default, and we recommend that it stay disabled. - -The Guests group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-546| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|[Domain Guests](#bkmk-domainguests)| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - - -### Hyper-V Administrators - -Members of the Hyper-V Administrators group have complete and unrestricted access to all the features in Hyper-V. Adding members to this group helps reduce the number of members required in the Administrators group, and further separates access. - -> [!NOTE] -> Prior to Windows Server 2012, access to features in Hyper-V was controlled in part by membership in the Administrators group. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-578| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### IIS\_IUSRS - -IIS\_IUSRS is a built-in group that is used by Internet Information Services beginning with IIS 7.0. A built-in account and group are guaranteed by the operating system to always have a unique SID. IIS 7.0 replaces the IUSR\_MachineName account and the IIS\_WPG group with the IIS\_IUSRS group to ensure that the actual names that are used by the new account and group will never be localized. For example, regardless of the language of the Windows operating system that you install, the IIS account name will always be IUSR, and the group name will be IIS\_IUSRS. - -For more information, see [Understanding Built-In User and Group Accounts in IIS 7](/iis/get-started/planning-for-security/understanding-built-in-user-and-group-accounts-in-iis). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-568| -|Type|Builtin Local| -|Default container|CN=BuiltIn, DC=<domain>, DC=| -|Default members|IUSR| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Incoming Forest Trust Builders - -Members of the Incoming Forest Trust Builders group can create incoming, one-way trusts to this forest. Active Directory provides security across multiple domains or forests through domain and forest trust relationships. Before authentication can occur across trusts, Windows must determine whether the domain being requested by a user, computer, or service has a trust relationship with the logon domain of the requesting account. - -To make this determination, the Windows security system computes a trust path between the domain controller for the server that receives the request and a domain controller in the domain of the requesting account. A secured channel extends to other Active Directory domains through interdomain trust relationships. This secured channel is used to obtain and verify security information, including security identifiers (SIDs) for users and groups. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - - -For more information, see [How Domain and Forest Trusts Work: Domain and Forest Trusts](/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)). - -The Incoming Forest Trust Builders group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-557| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Key Admins - -Members of this group can perform administrative actions on key objects within the domain. - -The Key Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-21-<domain>-526 | -| Type | Global | -| Default container | CN=Users, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | Yes | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Network Configuration Operators - -Members of the Network Configuration Operators group can have the following administrative privileges to manage configuration of networking features: - -- Modify the Transmission Control Protocol/Internet Protocol (TCP/IP) properties for a local area network (LAN) connection, which includes the IP address, the subnet mask, the default gateway, and the name servers. - -- Rename the LAN connections or remote access connections that are available to all the users. - -- Enable or disable a LAN connection. - -- Modify the properties of all of remote access connections of users. - -- Delete all the remote access connections of users. - -- Rename all the remote access connections of users. - -- Issue **ipconfig**, **ipconfig /release**, or **ipconfig /renew** commands. - -- Enter the PIN unblock key (PUK) for mobile broadband devices that support a SIM card. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Network Configuration Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-556| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Performance Log Users - -Members of the Performance Log Users group can manage performance counters, logs, and alerts locally on the server and from remote clients without being a member of the Administrators group. Specifically, members of this security group: - -- Can use all the features that are available to the Performance Monitor Users group. - -- Can create and modify Data Collector Sets after the group is assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. - - > [!WARNING] - > If you are a member of the Performance Log Users group, you must configure Data Collector Sets that you create to run under your credentials. - - > [!NOTE] - > In Windows Server 2016 or later, Data Collector Sets cannot be created by a member of the Performance Log Users group. - > If a member of the Performance Log Users group tries to create Data Collector Sets, they cannot complete creation because access will be denied. - -- Cannot use the Windows Kernel Trace event provider in Data Collector Sets. - -For members of the Performance Log Users group to initiate data logging or modify Data Collector Sets, the group must first be assigned the [Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job) user right. To assign this user right, use the Local Security Policy snap-in in Microsoft Management Console. - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Performance Log Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This account cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-559| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|[Log on as a batch job](/windows/device-security/security-policy-settings/log-on-as-a-batch-job): SeBatchLogonRight| - - - -### Performance Monitor Users - -Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients, without being a member of the Administrators or Performance Log Users groups. The Windows Performance Monitor is a Microsoft Management Console (MMC) snap-in that provides tools for analyzing system performance. From a single console, you can monitor application and hardware performance, customize what data you want to collect in logs, define thresholds for alerts and automatic actions, generate reports, and view past performance data in a variety of ways. - -Specifically, members of this security group: - -- Can use all the features that are available to the Users group. - -- Can view real-time performance data in Performance Monitor. - - Can change the Performance Monitor display properties while viewing data. - -- Cannot create or modify Data Collector Sets. - - > [!WARNING] - > You cannot configure a Data Collector Set to run as a member of the Performance Monitor Users group. - - - -> [!NOTE] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). This group cannot be renamed, deleted, or moved. - - - -The Performance Monitor Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-558| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - -### Pre–Windows 2000 Compatible Access - -Members of the Pre–Windows 2000 Compatible Access group have Read access for all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity group, Everyone, is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier. - -> [!WARNING] -> This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - - -The Pre–Windows 2000 Compatible Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-554| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|If you choose the Pre–Windows 2000 Compatible Permissions mode, Everyone and Anonymous are members, and if you choose the Windows 2000-only permissions mode, Authenticated Users are members.| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight

    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - - - -### Print Operators - -Members of this group can manage, create, share, and delete printers that are connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can locally sign in to and shut down domain controllers in the domain. - -This group has no default members. Because members of this group can load and unload device drivers on all domain controllers in the domain, add users with caution. This group cannot be renamed, deleted, or moved. - -The Print Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. However, in Windows Server 2008 R2, functionality was added to manage print administration. For more information, see [Assign Delegated Print Administrator and Printer Permission Settings in Windows Server 2012](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj190062(v=ws.11)). - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-550| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Load and unload device drivers](/windows/device-security/security-policy-settings/load-and-unload-device-drivers): SeLoadDriverPrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Protected Users - -Members of the Protected Users group are afforded additional protection against the compromise of credentials during authentication processes. - -This security group is designed as part of a strategy to effectively protect and manage credentials within the enterprise. Members of this group automatically have non-configurable protection applied to their accounts. Membership in the Protected Users group is meant to be restrictive and proactively secure by default. The only method to modify the protection for an account is to remove the account from the security group. - -This domain-related, global group triggers non-configurable protection on devices and host computers, starting with the Windows Server 2012 R2 and Windows 8.1 operating systems. It also triggers non-configurable protection on domain controllers in domains with a primary domain controller running Windows Server 2012 R2 or Windows Server 2016. This greatly reduces the memory footprint of credentials when users sign in to computers on the network from a non-compromised computer. - -Depending on the account’s domain functional level, members of the Protected Users group are further protected due to behavior changes in the authentication methods that are supported in Windows. - -- Members of the Protected Users group cannot authenticate by using the following Security Support Providers (SSPs): NTLM, Digest Authentication, or CredSSP. Passwords are not cached on a device running Windows 8.1 or Windows 10, so the device fails to authenticate to a domain when the account is a member of the Protected User group. - -- The Kerberos protocol will not use the weaker DES or RC4 encryption types in the preauthentication process. This means that the domain must be configured to support at least the AES cipher suite. - -- The user’s account cannot be delegated with Kerberos constrained or unconstrained delegation. This means that former connections to other systems may fail if the user is a member of the Protected Users group. - -- The default Kerberos ticket-granting tickets (TGTs) lifetime setting of four hours is configurable by using Authentication Policies and Silos, which can be accessed through the Active Directory Administrative Center. This means that when four hours has passed, the user must authenticate again. - -The Protected Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This group was introduced in Windows Server 2012 R2. For more information about how this group works, see [Protected Users Security Group](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn466518(v=ws.11)). - -The following table specifies the properties of the Protected Users group. - -|Attribute|Value| -|--- |--- | -|Well-known SID/RID|S-1-5-21-<domain>-525| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-service admins?|No| -|Default user rights|None| - -### RAS and IAS Servers - -Computers that are members of the RAS and IAS Servers group, when properly configured, are allowed to use remote access services. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically, such as IAS servers and Network Policy Servers. Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information. - -The RAS and IAS Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-553| -|Type|Builtin Local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### RDS Endpoint Servers - -Servers that are members in the RDS Endpoint Servers group can run virtual machines and host sessions where user RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. - -For information about Remote Desktop Services, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-576| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -### RDS Management Servers - -Servers that are members in the RDS Management Servers group can be used to perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-577| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### RDS Remote Access Servers - -Servers in the RDS Remote Access Servers group provide users with access to RemoteApp programs and personal virtual desktops. In Internet facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers that are used in the deployment need to be in this group. - -For more information, see [Host desktops and apps in Remote Desktop Services](/windows-server/remote/remote-desktop-services/welcome-to-rds). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-575| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Read-Only Domain Controllers - -This group is comprised of the Read-only domain controllers in the domain. A Read-only domain controller makes it possible for organizations to easily deploy a domain controller in scenarios where physical security cannot be guaranteed, such as branch office locations, or in scenarios where local storage of all domain passwords is considered a primary threat, such as in an extranet or in an application-facing role. - -Because administration of a Read-only domain controller can be delegated to a domain user or security group, an Read-only domain controller is well suited for a site that should not have a user who is a member of the Domain Admins group. A Read-only domain controller encompasses the following functionality: - -- Read-only AD DS database - -- Unidirectional replication - -- Credential caching - -- Administrator role separation - -- Read-only Domain Name System (DNS) - -For information about deploying a Read-only domain controller, see [Understanding Planning and Deployment for Read-Only Domain Controllers](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc754719(v=ws.10)). - -This security group was introduced in Windows Server 2008, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-521| -|Type|Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Remote Desktop Users - -The Remote Desktop Users group on an RD Session Host server is used to grant users and groups permissions to remotely connect to an RD Session Host server. This group cannot be renamed, deleted, or moved. It appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Remote Desktop Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-555| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - - - - -### Remote Management Users - -Members of the Remote Management Users group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user. - -The Remote Management Users group is generally used to allow users to manage servers through the Server Manager console, whereas the [WinRMRemoteWMIUsers\_](#bkmk-winrmremotewmiusers-) group is allows remotely running Windows PowerShell commands. - -For more information, see [What's New in MI?](/previous-versions/windows/desktop/wmi_v2/what-s-new-in-mi) and [About WMI](/windows/win32/wmisdk/about-wmi). - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-580| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Replicator - -Computers that are members of the Replicator group support file replication in a domain. Windows Server operating systems use the File Replication service (FRS) to replicate system policies and logon scripts stored in the System Volume (SYSVOL). Each domain controller keeps a copy of SYSVOL for network clients to access. FRS can also replicate data for the Distributed File System (DFS), synchronizing the content of each member in a replica set as defined by DFS. FRS can copy and maintain shared files and folders on multiple servers simultaneously. When changes occur, content is synchronized immediately within sites and by a schedule between sites. - -> [!WARNING] -> In Windows Server 2008 R2, FRS cannot be used for replicating DFS folders or custom (non-SYSVOL) data. A Windows Server 2008 R2 domain controller can still use FRS to replicate the contents of a SYSVOL shared resource in a domain that uses FRS for replicating the SYSVOL shared resource between domain controllers. - -However, Windows Server 2008 R2 servers cannot use FRS to replicate the contents of any replica set apart from the SYSVOL shared resource. The DFS Replication service is a replacement for FRS, and it can be used to replicate the contents of a SYSVOL shared resource, DFS folders, and other custom (non-SYSVOL) data. You should migrate all non-SYSVOL FRS replica sets to DFS Replication. For more information, see: - -- [File Replication Service (FRS) Is Deprecated in Windows Server 2008 R2 (Windows)](/windows/win32/win7appqual/file-replication-service--frs--is-deprecated-in-windows-server-2008-r2) -- [DFS Namespaces and DFS Replication Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127250(v=ws.11)) - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-552| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - -### Schema Admins - -Members of the Schema Admins group can modify the Active Directory schema. This group exists only in the root domain of an Active Directory forest of domains. It is a Universal group if the domain is in native mode; it is a Global group if the domain is in mixed mode. - -The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. This group has full administrative access to the schema. - -The membership of this group can be modified by any of the service administrator groups in the root domain. This is considered a service administrator account because its members can modify the schema, which governs the structure and content of the entire directory. - -For more information, see [What Is the Active Directory Schema?: Active Directory](/previous-versions/windows/it-pro/windows-server-2003/cc784826(v=ws.10)). - -The Schema Admins group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<root domain>-518| -|Type|Universal (if Domain is in Native-Mode) else Global| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|Administrator| -|Default member of|[Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|See [Denied RODC Password Replication Group](#bkmk-deniedrodcpwdrepl)| - -### Server Operators - -Members in the Server Operators group can administer domain controllers. This group exists only on domain controllers. By default, the group has no members. Members of the Server Operators group can sign in to a server interactively, create and delete network shared resources, start and stop services, back up and restore files, format the hard disk drive of the computer, and shut down the computer. This group cannot be renamed, deleted, or moved. - -By default, this built-in group has no members, and it has access to server configuration options on domain controllers. Its membership is controlled by the service administrator groups Administrators and Domain Admins in the domain, and the Enterprise Admins group in the forest root domain. Members in this group cannot change any administrative group memberships. This is considered a service administrator account because its members have physical access to domain controllers, they can perform maintenance tasks (such as backup and restore), and they have the ability to change binaries that are installed on the domain controllers. Note the default user rights in the following table. - -The Server Operators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-549| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|Yes| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight

    [Back up files and directories](/windows/device-security/security-policy-settings/back-up-files-and-directories): SeBackupPrivilege

    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemTimePrivilege

    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege

    [Force shutdown from a remote system](/windows/device-security/security-policy-settings/force-shutdown-from-a-remote-system): SeRemoteShutdownPrivilege

    [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): Restore files and directories SeRestorePrivilege

    [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system): SeShutdownPrivilege| - -### Storage Replica Administrators - -Members of this group have complete and unrestricted access to all features of Storage Replica. - -The Storage Replica Administrators group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-582 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | None | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### System Managed Accounts Group - -Members of this group are managed by the system. - -The System Managed Accounts group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - - -| Attribute | Value | -|-----------|-------| -| Well-Known SID/RID | S-1-5-32-581 | -| Type | Builtin Local | -| Default container | CN=BuiltIn, DC=<domain>, DC= | -| Default members | Users | -| Default member of | None | -| Protected by ADMINSDHOLDER? | No | -| Safe to move out of default container? | Yes | -| Safe to delegate management of this group to non-Service admins? | No | -| Default User Rights | None | - - - -### Terminal Server License Servers - -Members of the Terminal Server License Servers group can update user accounts in Active Directory with information about license issuance. This is used to track and report TS Per User CAL usage. A TS Per User CAL gives one user the right to access a Terminal Server from an unlimited number of client computers or devices. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -For more information about this security group, see [Terminal Services License Server Security Group Configuration](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc775331(v=ws.10)). - -The Terminal Server License Servers group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - - -This security group only applies to Windows Server 2003 and Windows Server 2008 because Terminal Services was replaced by Remote Desktop Services in Windows Server 2008 R2. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-561| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Safe to move out of default container?|Cannot be moved| -|Protected by ADMINSDHOLDER?|No| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default User Rights|None| - -### Users - -Members of the Users group are prevented from making accidental or intentional system-wide changes, and they can run most applications. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. - -Users can perform tasks such as running applications, using local and network printers, shutting down the computer, and locking the computer. Users can install applications that only they are allowed to use if the installation program of the application supports per-user installation. This group cannot be renamed, deleted, or moved. - -The Users group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -This security group includes the following changes since Windows Server 2008: - -- In Windows Server 2008 R2, INTERACTIVE was added to the default members list. - -- In Windows Server 2012, the default **Member Of** list changed from Domain Users to none. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-545| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Authenticated Users

    [Domain Users](#bkmk-domainusers)

    INTERACTIVE| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|No| -|Default User Rights|None| - -### Windows Authorization Access Group - -Members of this group have access to the computed token GroupsGlobalAndUniversal attribute on User objects. Some applications have features that read the token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account objects in Active Directory Domain Services. Some Win32 functions make it easier to read the TGGAU attribute. Applications that read this attribute or that call an API (referred to as a function) that reads this attribute do not succeed if the calling security context does not have access to the attribute. This group appears as a SID until the domain controller is made the primary domain controller and it holds the operations master role (also known as flexible single master operations or FSMO). - -The Windows Authorization Access group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -> [!NOTE] -> This group cannot be renamed, deleted, or moved. - - -This security group has not changed since Windows Server 2008. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-32-560| -|Type|Builtin Local| -|Default container|CN=Builtin, DC=<domain>, DC=| -|Default members|Enterprise Domain Controllers| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Cannot be moved| -|Safe to delegate management of this group to non-Service admins?|Yes| -|Default user rights|None| - -### WinRMRemoteWMIUsers\_ - -In Windows 8 and in Windows Server 2012, a **Share** tab was added to the Advanced Security Settings user interface. This tab displays the security properties of a remote file share. To view this information, you must have the following permissions and memberships, as appropriate for the version of Windows Server that the file server is running. - -The WinRMRemoteWMIUsers\_ group applies to versions of the Windows Server operating system listed in the [Active Directory Default Security Groups table](#bkmk-groupstable). - -- If the file share is hosted on a server that is running a supported version of the operating system: - - - You must be a member of the WinRMRemoteWMIUsers\_\_ group or the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -- If the file share is hosted on a server that is running a version of Windows Server that is earlier than Windows Server 2012: - - - You must be a member of the BUILTIN\\Administrators group. - - - You must have Read permissions to the file share. - -In Windows Server 2012, the Access Denied Assistance functionality adds the Authenticated Users group to the local WinRMRemoteWMIUsers\_\_ group. Therefore, when the Access Denied Assistance functionality is enabled, all authenticated users who have Read permissions to the file share can view the file share permissions. - -> [!NOTE] -> The WinRMRemoteWMIUsers\_ group allows running Windows PowerShell commands remotely whereas the [Remote Management Users](#bkmk-remotemanagementusers) group is generally used to allow users to manage servers by using the Server Manager console. - - - -This security group was introduced in Windows Server 2012, and it has not changed in subsequent versions. - -|Attribute|Value| -|--- |--- | -|Well-Known SID/RID|S-1-5-21-<domain>-<variable RI>| -|Type|Domain local| -|Default container|CN=Users, DC=<domain>, DC=| -|Default members|None| -|Default member of|None| -|Protected by ADMINSDHOLDER?|No| -|Safe to move out of default container?|Yes| -|Safe to delegate management of this group to non-Service admins?|| -|Default User Rights|None| - - -## See also - -- [Security Principals](security-principals.md) - -- [Special Identities](special-identities.md) - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/dynamic-access-control.md b/windows/security/identity-protection/access-control/dynamic-access-control.md deleted file mode 100644 index b19feb4975..0000000000 --- a/windows/security/identity-protection/access-control/dynamic-access-control.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: Dynamic Access Control Overview (Windows 10) -description: Learn about Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Dynamic Access Control Overview - -**Applies to** -- Windows Server 2016 - -This overview topic for the IT professional describes Dynamic Access Control and its associated elements, which were introduced in Windows Server 2012 and Windows 8. - -Domain-based Dynamic Access Control enables administrators to apply access-control permissions and restrictions based on well-defined rules that can include the sensitivity of the resources, the job or role of the user, and the configuration of the device that is used to access these resources. - -For example, a user might have different permissions when they access a resource from their office computer versus when they are using a portable computer over a virtual private network. Or access may be allowed only if a device meets the security requirements that are defined by the network administrators. When Dynamic Access Control is used, a user’s permissions change dynamically without additional administrator intervention if the user’s job or role changes (resulting in changes to the user’s account attributes in AD DS). For more detailed examples of Dynamic Access Control in use, see the scenarios described in [Dynamic Access Control: Scenario Overview](/windows-server/identity/solution-guides/dynamic-access-control--scenario-overview). - -Dynamic Access Control is not supported in Windows operating systems prior to Windows Server 2012 and Windows 8. When Dynamic Access Control is configured in environments with supported and non-supported versions of Windows, only the supported versions will implement the changes. - -Features and concepts associated with Dynamic Access Control include: - -- [Central access rules](#bkmk-rules) - -- [Central access policies](#bkmk-policies) - -- [Claims](#bkmk-claims) - -- [Expressions](#bkmk-expressions2) - -- [Proposed permissions](#bkmk-permissions2) - -### Central access rules - -A central access rule is an expression of authorization rules that can include one or more conditions involving user groups, user claims, device claims, and resource properties. Multiple central access rules can be combined into a central access policy. - -If one or more central access rules have been defined for a domain, file share administrators can match specific rules to specific resources and business requirements. - -### Central access policies - -Central access policies are authorization policies that include conditional expressions. For example, let’s say an organization has a business requirement to restrict access to personally identifiable information (PII) in files to only the file owner and members of the human resources (HR) department who are allowed to view PII information. This represents an organization-wide policy that applies to PII files wherever they are located on file servers across the organization. To implement this policy, an organization needs to be able to: - -- Identify and mark the files that contain the PII. - -- Identify the group of HR members who are allowed to view the PII information. - -- Add the central access policy to a central access rule, and apply the central access rule to all files that contain the PII, wherever they are located amongst the file servers across the organization. - -Central access policies act as security umbrellas that an organization applies across its servers. These policies are in addition to (but do not replace) the local access policies or discretionary access control lists (DACLs) that are applied to files and folders. - -### Claims - -A claim is a unique piece of information about a user, device, or resource that has been published by a domain controller. The user’s title, the department classification of a file, or the health state of a computer are valid examples of a claim. An entity can involve more than one claim, and any combination of claims can be used to authorize access to resources. The following types of claims are available in the supported versions of Windows: - -- **User claims**   Active Directory attributes that are associated with a specific user. - -- **Device claims**   Active Directory attributes that are associated with a specific computer object. - -- **Resource attributes**  Global resource properties that are marked for use in authorization decisions and published in Active Directory. - -Claims make it possible for administrators to make precise organization- or enterprise-wide statements about users, devices, and resources that can be incorporated in expressions, rules, and policies. - -### Expressions - -Conditional expressions are an enhancement to access control management that allow or deny access to resources only when certain conditions are met, for example, group membership, location, or the security state of the device. Expressions are managed through the Advanced Security Settings dialog box of the ACL Editor or the Central Access Rule Editor in the Active Directory Administrative Center (ADAC). - -Expressions help administrators manage access to sensitive resources with flexible conditions in increasingly complex business environments. - -### Proposed permissions - -Proposed permissions enable an administrator to more accurately model the impact of potential changes to access control settings without actually changing them. - -Predicting the effective access to a resource helps you plan and configure permissions for those resources before implementing those changes. - -## Additional changes - - -Additional enhancements in the supported versions of Windows that support Dynamic Access Control include: - -### Support in the Kerberos authentication protocol to reliably provide user claims, device claims, and device groups. - -By default, devices running any of the supported versions of Windows are able to process Dynamic Access Control-related Kerberos tickets, which include data needed for compound authentication. Domain controllers are able to issue and respond to Kerberos tickets with compound authentication-related information. When a domain is configured to recognize Dynamic Access Control, devices receive claims from domain controllers during initial authentication, and they receive compound authentication tickets when submitting service ticket requests. Compound authentication results in an access token that includes the identity of the user and the device on the resources that recognize Dynamic Access Control. - -### Support for using the Key Distribution Center (KDC) Group Policy setting to enable Dynamic Access Control for a domain. - -Every domain controller needs to have the same Administrative Template policy setting, which is located at **Computer Configuration\\Policies\\Administrative Templates\\System\\KDC\\Support Dynamic Access Control and Kerberos armoring**. - -### Support in Active Directory to store user and device claims, resource properties, and central access policy objects. - -### Support for using Group Policy to deploy central access policy objects. - -The following Group Policy setting enables you to deploy central access policy objects to file servers in your organization: **Computer Configuration\\Policies\\ Windows Settings\\Security Settings\\File System\\Central Access Policy**. - -### Support for claims-based file authorization and auditing for file systems by using Group Policy and Global Object Access Auditing - -You must enable staged central access policy auditing to audit the effective access of central access policy by using proposed permissions. You configure this setting for the computer under **Advanced Audit Policy Configuration** in the **Security Settings** of a Group Policy Object (GPO). After you configure the security setting in the GPO, you can deploy the GPO to computers in your network. - -### Support for transforming or filtering claim policy objects that traverse Active Directory forest trusts - -You can filter or transform incoming and outgoing claims that traverse a forest trust. There are three basic scenarios for filtering and transforming claims: - -- **Value-based filtering**  Filters can be based on the value of a claim. This allows the trusted forest to prevent claims with certain values from being sent to the trusting forest. Domain controllers in trusting forests can use value-based filtering to guard against an elevation-of-privilege attack by filtering the incoming claims with specific values from the trusted forest. - -- **Claim type-based filtering**  Filters are based on the type of claim, rather than the value of the claim. You identify the claim type by the name of the claim. You use claim type-based filtering in the trusted forest, and it prevents Windows from sending claims that disclose information to the trusting forest. - -- **Claim type-based transformation**  Manipulates a claim before sending it to the intended target. You use claim type-based transformation in the trusted forest to generalize a known claim that contains specific information. You can use transformations to generalize the claim-type, the claim value, or both. - -## Software requirements - - -Because claims and compound authentication for Dynamic Access Control require Kerberos authentication extensions, any domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows to support authentication from Dynamic Access Control-aware Kerberos clients. By default, devices must use domain controllers in other sites. If no such domain controllers are available, authentication will fail. Therefore, you must support one of the following conditions: - -- Every domain that supports Dynamic Access Control must have enough domain controllers running the supported versions of Windows Server to support authentication from all devices running the supported versions of Windows or Windows Server. - -- Devices running the supported versions of Windows or that do not protect resources by using claims or compound identity, should disable Kerberos protocol support for Dynamic Access Control. - -For domains that support user claims, every domain controller running the supported versions of Windows server must be configured with the appropriate setting to support claims and compound authentication, and to provide Kerberos armoring. Configure settings in the KDC Administrative Template policy as follows: - -- **Always provide claims**   Use this setting if all domain controllers are running the supported versions of Windows Server. In addition, set the domain functional level to Windows Server 2012 or higher. - -- **Supported**   When you use this setting, monitor domain controllers to ensure that the number of domain controllers running the supported versions of Windows Server is sufficient for the number of client computers that need to access resources protected by Dynamic Access Control. - -If the user domain and file server domain are in different forests, all domain controllers in the file server’s forest root must be set at the Windows Server 2012 or higher functional level. - -If clients do not recognize Dynamic Access Control, there must be a two-way trust relationship between the two forests. - -If claims are transformed when they leave a forest, all domain controllers in the user’s forest root must be set at the Windows Server 2012 or higher functional level. - -A file server running a server operating system that supports Dyamic Access Control must have a Group Policy setting that specifies whether it needs to get user claims for user tokens that do not carry claims. This setting is set by default to **Automatic**, which results in this Group Policy setting to be turned **On** if there is a central policy that contains user or device claims for that file server. If the file server contains discretionary ACLs that include user claims, you need to set this Group Policy to **On** so that the server knows to request claims on behalf of users that do not provide claims when they access the server. - -## See also - -- [Access control overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/microsoft-accounts.md b/windows/security/identity-protection/access-control/microsoft-accounts.md deleted file mode 100644 index 7d9575a8f4..0000000000 --- a/windows/security/identity-protection/access-control/microsoft-accounts.md +++ /dev/null @@ -1,186 +0,0 @@ ---- -title: Microsoft Accounts (Windows 10) -description: Microsoft Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 10/13/2017 -ms.reviewer: ---- - -# Microsoft Accounts - -**Applies to** -- Windows 10 - -This topic for the IT professional explains how a Microsoft account works to enhance security and privacy for users, and how you can manage this consumer account type in your organization. - -Microsoft sites, services, and properties, as well as computers running Windows 10, can use a Microsoft account as a means of identifying a user. Microsoft account was previously called Windows Live ID. It has user-defined secrets, and consists of a unique email address and a password. - -When a user signs in with a Microsoft account, the device is connected to cloud services. Many of the user's settings, preferences, and apps can be shared across devices. - -## How a Microsoft account works - -The Microsoft account allows users to sign in to websites that support this service by using a single set of credentials. Users' credentials are validated by a Microsoft account authentication server that is associated with a website. The Microsoft Store is an example of this association. When new users sign in to websites that are enabled to use Microsoft accounts, they are redirected to the nearest authentication server, which asks for a user name and password. Windows uses the Schannel Security Support Provider to open a Transport Level Security/Secure Sockets Layer (TLS/SSL) connection for this function. Users then have the option to use Credential Manager to store their credentials. - -When users sign in to websites that are enabled to use a Microsoft account, a time-limited cookie is installed on their computers, which includes a triple DES encrypted ID tag. This encrypted ID tag has been agreed upon between the authentication server and the website. This ID tag is sent to the website, and the website plants another time-limited encrypted HTTP cookie on the user’s computer. When these cookies are valid, users are not required to supply a user name and password. If a user actively signs out of their Microsoft account, these cookies are removed. - -**Important**   -Local Windows account functionality has not been removed, and it is still an option to use in managed environments. - -### How Microsoft accounts are created - -To prevent fraud, the Microsoft system verifies the IP address when a user creates an account. A user who tries to create multiple Microsoft accounts with the same IP address is stopped. - -Microsoft accounts are not designed to be created in batches, such as for a group of domain users within your enterprise. - -There are two methods for creating a Microsoft account: - -- **Use an existing email address**. - - Users are able to use their valid email addresses to sign up for Microsoft accounts. The service turns the requesting user's email address into a Microsoft account. Users can also choose their personal passwords. - -- **Sign up for a Microsoft email address**. - - Users can sign up for an email account with Microsoft's webmail services. This account can be used to sign in to websites that are enabled to use Microsoft accounts. - -### How the Microsoft account information is safeguarded - -Credential information is encrypted twice. The first encryption is based on the account’s password. Credentials are encrypted again when they are sent across the Internet. The data that is stored is not available to other Microsoft or non-Microsoft services. - -- **Strong password is required**. - - Blank passwords are not allowed. - - For more information, see [How to help keep your Microsoft account safe and secure](https://support.microsoft.com/account-billing/how-to-help-keep-your-microsoft-account-safe-and-secure-628538c2-7006-33bb-5ef4-c917657362b9). - -- **Secondary proof of identity is required**. - - Before user profile information and settings can be accessed on a second supported Windows computer for the first time, trust must established for that device by providing secondary proof of identity. This can be accomplished by providing Windows with a code that is sent to a mobile phone number or by following the instructions that are sent to an alternate email address that a user specifies in the account settings. - -- **All user profile data is encrypted on the client before it is transmitted to the cloud**. - - User data does not roam over a wireless wide area network (WWAN) by default, thereby protecting profile data. All data and settings that leave a device are transmitted through the TLS/SSL protocol. - -**Microsoft account security information is added**. - -Users can add security information to their Microsoft accounts through the **Accounts** interface on computers running the supported versions of Windows. This feature allows the user to update the security information that they provided when they created their accounts. This security information includes an alternate email address or phone number so if their password is compromised or forgotten, a verification code can be sent to verify their identity. Users can potentially use their Microsoft accounts to store corporate data on a personal OneDrive or email app, so it is safe practice for the account owner to keep this security information up-to-date. - -## The Microsoft account in the enterprise - - -Although the Microsoft account was designed to serve consumers, you might find situations where your domain users can benefit by using their personal Microsoft account in your enterprise. The following list describes some advantages. - -- **Download Microsoft Store apps**: - - If your enterprise chooses to distribute software through the Microsoft Store, your users can use their Microsoft accounts to download and use them on up to five devices running any version of Windows 10, Windows 8.1, Windows 8, or Windows RT. - -- **Single sign-on**: - - Your users can use Microsoft account credentials to sign in to devices running Windows 10, Windows 8.1, Windows 8 or Windows RT. When they do this, Windows works with your Microsoft Store app to provide authenticated experiences for them. Users can associate a Microsoft account with their sign-in credentials for Microsoft Store apps or websites, so that these credentials roam across any devices running these supported versions. - -- **Personalized settings synchronization**: - - Users can associate their most commonly used operating-system settings with a Microsoft account. These settings are available whenever a user signs in with that account on any device that is running a supported version of Windows and is connected to the cloud. After a user signs in, the device automatically attempts to get the user's settings from the cloud and apply them to the device. - -- **App synchronization**: - - Microsoft Store apps can store user-specific settings so that these settings are available to any device. As with operating system settings, these user-specific app settings are available whenever the user signs in with the same Microsoft account on any device that is running a supported version of Windows and is connected to the cloud. After the user signs in, that device automatically downloads the settings from the cloud and applies them when the app is installed. - -- **Integrated social media services**: - - Contact information and status for your users’ friends and associates automatically stay up-to-date from sites such as Hotmail, Outlook, Facebook, Twitter, and LinkedIn. Users can also access and share photos, documents, and other files from sites such as OneDrive, Facebook, and Flickr. - -### Managing the Microsoft account in the domain - -Depending on your IT and business models, introducing Microsoft accounts into your enterprise might add complexity or it might provide solutions. You should address the following considerations before you allow the use of these account types in your enterprise: - -- [Restrict the use of the Microsoft account](#bkmk-restrictuse) - -- [Configure connected accounts](#bkmk-cfgconnectedaccounts) - -- [Provision Microsoft accounts in the enterprise](#bkmk-provisionaccounts) - -- [Audit account activity](#bkmk-audit) - -- [Perform password resets](#bkmk-passwordresets) - -- [Restrict app installation and usage](#bkmk-restrictappinstallationandusage) - -### Restrict the use of the Microsoft account - -The following Group Policy settings help control the use of Microsoft accounts in the enterprise: - -- [Block all consumer Microsoft account user authentication](#block-all-consumer-microsoft-account-user-authentication) -- [Accounts: Block Microsoft accounts](#accounts-block-microsoft-accounts) - -#### Block all consumer Microsoft account user authentication - -This setting controls whether users can provide Microsoft accounts for authentication for applications or services. - -If this setting is enabled, all applications and services on the device are prevented from using Microsoft accounts for authentication. -This applies both to existing users of a device and new users who may be added. - -However, any application or service that has already authenticated a user will not be affected by enabling this setting until the authentication cache expires. -It is recommended to enable this setting before any user signs in to a device to prevent cached tokens from being present. - -If this setting is disabled or not configured, applications and services can use Microsoft accounts for authentication. -By default, this setting is **Disabled**. - -This setting does not affect whether users can sign in to devices by using Microsoft accounts, or the ability for users to provide Microsoft accounts via the browser for authentication with web-based applications. - -The path to this setting is: - -Computer Configuration\Administrative Templates\Windows Components\Microsoft account - -#### Accounts: Block Microsoft accounts - -This setting prevents using the **Settings** app to add a Microsoft account for single sign-on (SSO) authentication for Microsoft services and some background services, or using a Microsoft account for single sign-on to other applications or services. - -There are two options if this setting is enabled: - -- **Users can’t add Microsoft accounts** means that existing connected accounts can still sign in to the device (and appear on the Sign in screen). However, users cannot use the **Settings** app to add new connected accounts (or connect local accounts to Microsoft accounts). -- **Users can’t add or log on with Microsoft accounts** means that users cannot add new connected accounts (or connect local accounts to Microsoft accounts) or use existing connected accounts through **Settings**. - -This setting does not affect adding a Microsoft account for application authentication. For example, if this setting is enabled, a user can still provide a Microsoft account for authentication with an application such as **Mail**, but the user cannot use the Microsoft account for single sign-on authentication for other applications or services (in other words, the user will be prompted to authenticate for other applications or services). - -By default, this setting is **Not defined**. - -The path to this setting is: - -Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - -### Configure connected accounts - -Users can connect a Microsoft account to their domain account and synchronize the settings and preferences between them. This enables users to see the same desktop background, app settings, browser history and favorites, and other Microsoft account settings on their other devices. - -Users can disconnect a Microsoft account from their domain account at any time as follows: In **PC settings**, tap or click **Users**, tap or click **Disconnect**, and then tap or click **Finish**. - -**Note**   -Connecting Microsoft accounts with domain accounts can limit access to some high-privileged tasks in Windows. For example, Task Scheduler will evaluate the connected Microsoft account for access and fail. In these situations, the account owner should disconnect the account. - -### Provision Microsoft accounts in the enterprise - -Microsoft accounts are private user accounts. There are no methods provided by Microsoft to provision Microsoft accounts for an enterprise. Enterprises should use domain accounts. - -### Audit account activity - -Because Microsoft accounts are Internet-based, Windows does not have a mechanism to audit their use until the account is associated with a domain account. But this association does not restrict the user from disconnecting the account or disjoining from the domain. It is not possible to audit the activity of accounts that are not associated with your domain. - -### Perform password resets - -Only the owner of the Microsoft account can change the password. Passwords can be changed in the [Microsoft account sign-in portal](https://login.live.com). - -### Restrict app installation and usage - -Within your organization, you can set application control policies to regulate app installation and usage for Microsoft accounts. For more information, see [AppLocker](/windows/device-security/applocker/applocker-overview) and [Packaged Apps and Packaged App Installer Rules in AppLocker](/windows/device-security/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker). - -## See also - -- [Managing Privacy: Using a Microsoft Account to Logon and Resulting Internet Communication](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj884082(v=ws.11)) - -- [Access Control Overview](access-control.md) \ No newline at end of file diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md deleted file mode 100644 index eebc241c56..0000000000 --- a/windows/security/identity-protection/access-control/security-identifiers.md +++ /dev/null @@ -1,331 +0,0 @@ ---- -title: Security identifiers (Windows 10) -description: Security identifiers -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 ---- - -# Security identifiers - -**Applies to** -- Windows 10 -- Windows 11 -- Windows Server 2016 -- Windows Server 2019 - -This topic for the IT professional describes security identifiers and how they work in regards to accounts and groups in the Windows operating system. - -## What are security identifiers? - -A security identifier (SID) is used to uniquely identify a security principal or security group. Security principals can represent any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. - -Each account or group, or process running in the security context of the account, has a unique SID that is issued by an authority, such as a Windows domain controller. It is stored in a security database. The system generates the SID that identifies a particular account or group at the time the account or group is created. When a SID has been used as the unique identifier for a user or group, it can never be used again to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user's SID, user rights, and the SIDs for any groups the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and World SIDs identify a group that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -SIDs are a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -The content in this topic applies to computers that are running the supported versions of the Windows operating system as designated in the **Applies To** list at the beginning of this topic. - -## How security identifiers work - -Users refer to accounts by using the account name, but the operating system internally refers to accounts and processes that run in the security context of the account by using their security identifiers (SIDs). For domain accounts, the SID of a security principal is created by concatenating the SID of the domain with a relative identifier (RID) for the account. SIDs are unique within their scope (domain or local), and they are never reused. - -The operating system generates a SID that identifies a particular account or group at the time the account or group is created. The SID for a local account or group is generated by the Local Security Authority (LSA) on the computer, and it is stored with other account information in a secure area of the registry. The SID for a domain account or group is generated by the domain security authority, and it is stored as an attribute of the User or Group object in Active Directory Domain Services. - -For every local account and group, the SID is unique for the computer where it was created. No two accounts or groups on the computer ever share the same SID. Likewise, for every domain account and group, the SID is unique within an enterprise. This means that the SID for an account or group that is created in one domain will never match the SID for an account or group created in any other domain in the enterprise. - -SIDs always remain unique. Security authorities never issue the same SID twice, and they never reuse SIDs for deleted accounts. For example, if a user with a user account in a Windows domain leaves her job, an administrator deletes her Active Directory account, including the SID that identifies the account. If she later returns to a different job at the same company, an administrator creates a new account, and the Windows Server operating system generates a new SID. The new SID does not match the old one; so none of the user's access from her old account is transferred to the new account. Her two accounts represent two completely different security principals. - -## Security identifier architecture - -A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID. - -![Security identifier architecture.](images/security-identifider-architecture.jpg) - -The individual values of a SID are described in the following table. - -| Comment | Description | -| - | - | -| Revision | Indicates the version of the SID structure that is used in a particular SID. | -| Identifier authority | Identifies the highest level of authority that can issue SIDs for a particular type of security principal. For example, the identifier authority value in the SID for the Everyone group is 1 (World Authority). The identifier authority value in the SID for a specific Windows Server account or group is 5 (NT Authority). | -| Subauthorities | >Holds the most important information in a SID, which is contained in a series of one or more subauthority values. All values up to, but not including, the last value in the series collectively identify a domain in an enterprise. This part of the series is called the domain identifier. The last value in the series, which is called the relative identifier (RID), identifies a particular account or group relative to a domain. | - -The components of a SID are easier to visualize when SIDs are converted from a binary to a string format by using standard notation: -``` -S-R-X-Y1-Y2-Yn-1-Yn -``` - -In this notation, the components of a SID are represented as shown in the following table. - -| Comment | Description | -| - | - | -| S | Indicates that the string is a SID | -| R | Indicates the revision level | -| X | Indicates the identifier authority value | -| Y | Represents a series of subauthority values, where *n* is the number of values | - -The SID's most important information is contained in the series of subauthority values. The first part of the series (-Y1-Y2-Y*n*-1) is the domain identifier. This element of the SID becomes significant in an enterprise with several domains, because the domain identifier differentiates SIDs that are issued by one domain from SIDs that are issued by all other domains in the enterprise. No two domains in an enterprise share the same domain identifier. - -The last item in the series of subauthority values (-Y*n*) is the relative identifier. It distinguishes one account or group from all other accounts and groups in the domain. No two accounts or groups in any domain share the same relative identifier. - -For example, the SID for the built-in Administrators group is represented in standardized SID notation as the following string: - -``` -S-1-5-32-544 -``` - -This SID has four components: - -- A revision level (1) - -- An identifier authority value (5, NT Authority) - -- A domain identifier (32, Builtin) - -- A relative identifier (544, Administrators) - -SIDs for built-in accounts and groups always have the same domain identifier value: 32. This value identifies the domain **Builtin**, which exists on every computer that is running a version of the Windows Server operating system. It is never necessary to distinguish one computer's built-in accounts and groups from another computer's built-in accounts and groups because they are local in scope. They are local to a single computer, or in the case of domain controllers for a network domain, they are local to several computers that are acting as one. - -Built-in accounts and groups need to be distinguished from one another within the scope of the **Builtin** domain. Therefore, the SID for each account and group has a unique relative identifier. A relative identifier value of 544 is unique to the built-in Administrators group. No other account or group in the **Builtin** domain has a SID with a final value of 544. - -In another example, consider the SID for the global group, Domain Admins. Every domain in an enterprise has a Domain Admins group, and the SID for each group is different. The following example represents the SID for the Domain Admins group in the Contoso, Ltd. domain (Contoso\\Domain Admins): - -``` -S-1-5-21-1004336348-1177238915-682003330-512 -``` - -The SID for Contoso\\Domain Admins has: - -- A revision level (1) - -- An identifier authority (5, NT Authority) - -- A domain identifier (21-1004336348-1177238915-682003330, Contoso) - -- A relative identifier (512, Domain Admins) - -The SID for Contoso\\Domain Admins is distinguished from the SIDs for other Domain Admins groups in the same enterprise by its domain identifier: 21-1004336348-1177238915-682003330. No other domain in the enterprise uses this value as its domain identifier. The SID for Contoso\\Domain Admins is distinguished from the SIDs for other accounts and groups that are created in the Contoso domain by its relative identifier, 512. No other account or group in the domain has a SID with a final value of 512. - -## Relative identifier allocation - -When accounts and groups are stored in an account database that is managed by a local Security Accounts Manager (SAM), it is fairly easy for the system to generate a unique relative identifier for each account and in a group that it creates on a stand-alone computer. The SAM on a stand-alone computer can track the relative identifier values that it has used before and make sure that it never uses them again. - -In a network domain, however, generating unique relative identifiers is a more complex process. Windows Server network domains can have several domain controllers. Each domain controller stores Active Directory account information. This means that, in a network domain, there are as many copies of the account database as there are domain controllers. In addition to this, every copy of the account database is a master copy. New accounts and groups can be created on any domain controller. Changes that are made to Active Directory on one domain controller are replicated to all other domain controllers in the domain. The process of replicating changes in one master copy of the account database to all other master copies is called a multimaster operation. - -The process of generating unique relative identifiers is a single-master operation. One domain controller is assigned the role of relative identifier (RID) master, and it allocates a sequence of relative identifiers to each domain controller in the domain. When a new domain account or group is created in one domain controller's replica of Active Directory, it is assigned a SID. The relative identifier for the new SID is taken from the domain controller's allocation of relative identifiers. When its supply of relative identifiers begins to run low, the domain controller requests another block from the RID master. - -Each domain controller uses each value in a block of relative identifiers only once. The RID master allocates each block of relative identifier values only once. This process assures that every account and group created in the domain has a unique relative identifier. - -## Security identifiers and globally unique identifiers - -When a new domain user or group account is created, Active Directory stores the account's SID in the **ObjectSID** property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise, but also across the world. GUIDs are assigned to every object that is created by Active Directory, not only User and Group objects. Each object's GUID is stored in its **ObjectGUID** property. - -Active Directory uses GUIDs internally to identify objects. For example, the GUID is one of an object's properties that is published in the global catalog. Searching the global catalog for a User object GUID produces results if the user has an account somewhere in the enterprise. In fact, searching for any object by **ObjectGUID** might be the most reliable way of finding the object you want to locate. The values of other object properties can change, but the **ObjectGUID** property never changes. When an object is assigned a GUID, it keeps that value for life. - -If a user moves from one domain to another, the user gets a new SID. The SID for a group object does not change because groups stay in the domain where they were created. However, if people move, their accounts can move with them. If an employee moves from North America to Europe, but stays in the same company, an administrator for the enterprise can move the employee's User object from, for example, Contoso\\NoAm to Contoso\\Europe. If the administrator does this, the User object for the account needs a new SID. The domain identifier portion of a SID that is issued in NoAm is unique to NoAm; so the SID for the user's account in Europe has a different domain identifier. The relative identifier portion of a SID is unique relative to the domain; so if the domain changes, the relative identifier also changes. - -When a User object moves from one domain to another, a new SID must be generated for the user account and stored in the **ObjectSID** property. Before the new value is written to the property, the previous value is copied to another property of a User object, **SIDHistory**. This property can hold multiple values. Each time a User object moves to another domain, a new SID is generated and stored in the **ObjectSID** property, and another value is added to the list of old SIDs in **SIDHistory**. When a user signs in and is successfully authenticated, the domain authentication service queries Active Directory for all the SIDs that are associated with the user, including the user's current SID, the user's old SIDs, and the SIDs for the user's groups. All these SIDs are returned to the authentication client, and they are included in the user's access token. When the user tries to gain access to a resource, any one of the SIDs in the access token (including one of the SIDs in **SIDHistory**), can allow or deny the user access. - -If you allow or deny users' access to a resource based on their jobs, you should allow or deny access to a group, not to an individual. That way, when users change jobs or move to other departments, you can easily adjust their access by removing them from certain groups and adding them to others. - -However, if you allow or deny an individual user access to resources, you probably want that user's access to remain the same no matter how many times the user's account domain changes. The **SIDHistory** property makes this possible. When a user changes domains, there is no need to change the access control list (ACL) on any resource. If an ACL has the user's old SID, but not the new one, the old SID is still in the user's access token. It is listed among the SIDs for the user's groups, and the user is granted or denied access based on the old SID. - -## Well-known SIDs - -The values of certain SIDs are constant across all systems. They are created when the operating system or domain is installed. They are called well-known SIDs because they identify generic users or generic groups. - -There are universal well-known SIDs that are meaningful on all secure systems that use this security model, including operating systems other than Windows. In addition, there are well-known SIDs that are meaningful only on Windows operating systems. - -The following table lists the universal well-known SIDs. - -| Value | Universal Well-Known SID | Identifies | -| - | - | - | -| S-1-0-0 | Null SID | A group with no members. This is often used when a SID value is not known.| -| S-1-1-0 | World | A group that includes all users. | -| S-1-2-0 | Local | Users who log on to terminals that are locally (physically) connected to the system. | -| S-1-2-1 | Console Logon | A group that includes users who are logged on to the physical console. | -| S-1-3-0 | Creator Owner ID | A security identifier to be replaced by the security identifier of the user who created a new object. This SID is used in inheritable ACEs. | -| S-1-3-1 | Creator Group ID | A security identifier to be replaced by the primary-group SID of the user who created a new object. Use this SID in inheritable ACEs. | -| S-1-3-2 | Creator Owner Server | | -| S-1-3-3 | Creator Group Server | | -| S-1-3-4 | Owner Rights | A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. | -| S-1-4 | Non-unique Authority | A SID that represents an identifier authority. | -| S-1-5 | NT Authority | A SID that represents an identifier authority. | -| S-1-5-80-0 | All Services | A group that includes all service processes configured on the system. Membership is controlled by the operating system.| - -The following table lists the predefined identifier authority constants. The first four values are used with universal well-known SIDs, and the rest of the values are used with well-known SIDs in Windows operating systems designated in the **Applies To** list. - -| Identifier Authority | Value | SID String Prefix | -| - | - | - | -| SECURITY_NULL_SID_AUTHORITY | 0 | S-1-0 | -| SECURITY_WORLD_SID_AUTHORITY | 1 | S-1-1 | -| SECURITY_LOCAL_SID_AUTHORITY | 2 | S-1-2 | -| SECURITY_CREATOR_SID_AUTHORITY | 3 | S-1-3 | -| SECURITY_NT_AUTHORITY | 5 | S-1-5 | -| SECURITY_AUTHENTICATION_AUTHORITY | 18 | S-1-18 | - -The following RID values are used with universal well-known SIDs. The Identifier authority column shows the prefix of the identifier authority with which you can combine the RID to create a universal well-known SID. - -| Relative Identifier Authority | Value | Identifier Authority | -| - | - | - | -| SECURITY_NULL_RID | 0 | S-1-0 | -| SECURITY_WORLD_RID | 0 | S-1-1 | -| SECURITY_LOCAL_RID | 0 | S-1-2 | -| SECURITY_CREATOR_OWNER_RID | 0 | S-1-3 | -| SECURITY_CREATOR_GROUP_RID | 1 | S-1-3 | - -The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SIDs that are not universal and are meaningful only in installations of the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. The following table lists the well-known SIDs. - -| SID | Display Name | Description | -| - | - | - | -| S-1-5-1 | Dialup | A group that includes all users who are logged on to the system by means of a dial-up connection.| -| S-1-5-113 | Local account| You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named.| -| S-1-5-114| Local account and member of Administrators group | You can use this SID when restricting network logon to local accounts instead of "administrator" or equivalent. This SID can be effective in blocking network logon for local users and groups by account type regardless of what they are actually named. | -| S-1-5-2 | Network | A group that includes all users who are logged on by means of a network connection. Access tokens for interactive users do not contain the Network SID.| -| S-1-5-3 | Batch | A group that includes all users who have logged on by means of a batch queue facility, such as task scheduler jobs.| -| S-1-5-4 | Interactive| A group that includes all users who log on interactively. A user can start an interactive logon session by logging on directly at the keyboard, by opening a Remote Desktop Services connection from a remote computer, or by using a remote shell such as Telnet. In each case, the user's access token contains the Interactive SID. If the user signs in by using a Remote Desktop Services connection, the user's access token also contains the Remote Interactive Logon SID.| -| S-1-5-5- *X*-*Y* | Logon Session| The *X* and *Y* values for these SIDs uniquely identify a particular logon session.| -| S-1-5-6 | Service| A group that includes all security principals that have signed in as a service.| -| S-1-5-7 | Anonymous Logon| A user who has connected to the computer without supplying a user name and password.
    The Anonymous Logon identity is different from the identity that is used by Internet Information Services (IIS) for anonymous web access. IIS uses an actual account—by default, IUSR_ *ComputerName*, for anonymous access to resources on a website. Strictly speaking, such access is not anonymous because the security principal is known even though unidentified people are using the account. IUSR_ *ComputerName* (or whatever you name the account) has a password, and IIS logs on the account when the service starts. As a result, the IIS "anonymous" user is a member of Authenticated Users but Anonymous Logon is not.| -| S-1-5-8| Proxy| Does not currently apply: this SID is not used.| -| S-1-5-9 | Enterprise Domain Controllers| A group that includes all domain controllers in a forest of domains.| -| S-1-5-10 | Self| A placeholder in an ACE for a user, group, or computer object in Active Directory. When you grant permissions to Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Self with the SID for the security principal that is represented by the object.| -| S-1-5-11 | Authenticated Users| A group that includes all users and computers with identities that have been authenticated. Authenticated Users does not include Guest even if the Guest account has a password.
    This group includes authenticated security principals from any trusted domain, not only the current domain.| -| S-1-5-12 | Restricted Code| An identity that is used by a process that is running in a restricted security context. In Windows and Windows Server operating systems, a software restriction policy can assign one of three security levels to code: unrestricted, restricted, or disallowed. When code runs at the restricted security level, the Restricted SID is added to the user's access token.| -| S-1-5-13 | Terminal Server User| A group that includes all users who sign in to a server with Remote Desktop Services enabled.| -| S-1-5-14 | Remote Interactive Logon| A group that includes all users who log on to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.| -| S-1-5-15| This Organization| A group that includes all users from the same organization. Only included with Active Directory accounts and only added by a domain controller.| -| S-1-5-17 | IUSR| An account that is used by the default Internet Information Services (IIS) user.| -| S-1-5-18 | System (or LocalSystem)| An identity that is used locally by the operating system and by services that are configured to sign in as LocalSystem.
    System is a hidden member of Administrators. That is, any process running as System has the SID for the built-in Administrators group in its access token.
    When a process that is running locally as System accesses network resources, it does so by using the computer's domain identity. Its access token on the remote computer includes the SID for the local computer's domain account plus SIDs for security groups that the computer is a member of, such as Domain Computers and Authenticated Users.| -| S-1-5-19 | NT Authority (LocalService)| An identity that is used by services that are local to the computer, have no need for extensive local access, and do not need authenticated network access. Services that run as LocalService access local resources as ordinary users, and they access network resources as anonymous users. As a result, a service that runs as LocalService has significantly less authority than a service that runs as LocalSystem locally and on the network.| -| S-1-5-20 | Network Service| An identity that is used by services that have no need for extensive local access but do need authenticated network access. Services running as NetworkService access local resources as ordinary users and access network resources by using the computer's identity. As a result, a service that runs as NetworkService has the same network access as a service that runs as LocalSystem, but it has significantly reduced local access.| -| S-1-5-*domain*-500 | Administrator| A user account for the system administrator. Every computer has a local Administrator account and every domain has a domain Administrator account.
    The Administrator account is the first account created during operating system installation. The account cannot be deleted, disabled, or locked out, but it can be renamed.
    By default, the Administrator account is a member of the Administrators group, and it cannot be removed from that group.| -| S-1-5-*domain*-501 | Guest| A user account for people who do not have individual accounts. Every computer has a local Guest account, and every domain has a domain Guest account.
    By default, Guest is a member of the Everyone and the Guests groups. The domain Guest account is also a member of the Domain Guests and Domain Users groups.
    Unlike Anonymous Logon, Guest is a real account, and it can be used to log on interactively. The Guest account does not require a password, but it can have one.| -| S-1-5-*domain*-502| krbtgt| A user account that is used by the Key Distribution Center (KDC) service. The account exists only on domain controllers.| -| S-1-5-*domain*-512| Domain Admins| A global group with members that are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined the domain, including domain controllers.
    Domain Admins is the default owner of any object that is created in the domain's Active Directory by any member of the group. If members of the group create other objects, such as files, the default owner is the Administrators group.| -| S-1-5-*domain*-513| Domain Users| A global group that includes all users in a domain. When you create a new User object in Active Directory, the user is automatically added to this group.| -| S-1-5-*domain*-514| Domain Guests| A global group, which by default, has only one member: the domain's built-in Guest account.| -| S-1-5-*domain*-515 | Domain Computers| A global group that includes all computers that have joined the domain, excluding domain controllers.| -| S-1-5-*domain*-516| Domain Controllers| A global group that includes all domain controllers in the domain. New domain controllers are added to this group automatically.| -| S-1-5-*domain*-517 | Cert Publishers| A global group that includes all computers that host an enterprise certification authority.
    Cert Publishers are authorized to publish certificates for User objects in Active Directory.| -| S-1-5-*root domain*-518| Schema Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode. The Schema Admins group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain.| -| S-1-5-*root domain*-519| Enterprise Admins| A group that exists only in the forest root domain. It is a universal group if the domain is in native mode, and it is a global group if the domain is in mixed mode.
    The Enterprise Admins group is authorized to make changes to the forest infrastructure, such as adding child domains, configuring sites, authorizing DHCP servers, and installing enterprise certification authorities.
    By default, the only member of Enterprise Admins is the Administrator account for the forest root domain. The group is a default member of every Domain Admins group in the forest. | -| S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.
    Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| -| S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.
    Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| -| S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| -| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| -| S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| -| S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. | -| S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| -| S-1-5-32-549| Server Operators| Description: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer.| -| S-1-5-32-550 | Print Operators| A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues.| -| S-1-5-32-551 | Backup Operators| A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down.| -| S-1-5-32-552 | Replicators | A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group.| -|S-1-5-32-554|Builtin\Pre-Windows 2000 Compatible Access|An alias added by Windows 2000. A backward compatibility group that allows read access on all users and groups in the domain.| -|S-1-5-32-555|Builtin\Remote Desktop Users|An alias. Members in this group are granted the right to log on remotely.| -|S-1-5-32-556|Builtin\Network Configuration Operators|An alias. Members in this group can have some administrative privileges to manage configuration of networking features.| -|S-1-5-32-557|Builtin\Incoming Forest Trust Builders|An alias. Members of this group can create incoming, one-way trusts to this forest.| -|S-1-5-32-558|Builtin\Performance Monitor Users|An alias. Members of this group have remote access to monitor this computer.| -|S-1-5-32-559|Builtin\Performance Log Users|An alias. Members of this group have remote access to schedule logging of performance counters on this computer.| -|S-1-5-32-560|Builtin\Windows Authorization Access Group|An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects.| -|S-1-5-32-561|Builtin\Terminal Server License Servers|An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created.| -|S-1-5-32-562|Builtin\Distributed COM Users|An alias. A group for COM to provide computer-wide access controls that govern access to all call, activation, or launch requests on the computer.| -|S-1-5-32-568|Builtin\IIS_IUSRS|An alias. A built-in group account for IIS users.| -|S-1-5-32-569|Builtin\Cryptographic Operators|A built-in local group. Members are authorized to perform cryptographic operations.| -|S-1-5-32-573|Builtin\Event Log Readers|A built-in local group. Members of this group can read event logs from local computer.| -|S-1-5-32-574|Builtin\Certificate Service DCOM Access|A built-in local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.| -|S-1-5-32-575|Builtin\RDS Remote Access Servers|A built-in local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group.| -|S-1-5-32-576|Builtin\RDS Endpoint Servers|A built-in local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group.| -|S-1-5-32-577|Builtin\RDS Management Servers|A builtin local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group.| -|S-1-5-32-578|Builtin\Hyper-V Administrators|A built-in local group. Members of this group have complete and unrestricted access to all features of Hyper-V.| -|S-1-5-32-579|Builtin\Access Control Assistance Operators|A built-in local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer.| -|S-1-5-32-580|Builtin\Remote Management Users|A built-in local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.| -| S-1-5-64-10| NTLM Authentication| A SID that is used when the NTLM authentication package authenticated the client| -| S-1-5-64-14 | SChannel Authentication| A SID that is used when the SChannel authentication package authenticated the client.| -| S-1-5-64-21 | Digest Authentication| A SID that is used when the Digest authentication package authenticated the client.| -| S-1-5-80 | NT Service | A SID that is used as an NT Service account prefix.| -| S-1-5-80-0 | All Services| A group that includes all service processes that are configured on the system. Membership is controlled by the operating system. SID S-1-5-80-0 equals NT SERVICES\ALL SERVICES. This SID was introduced in Windows Server 2008 R2.| -| S-1-5-83-0| NT VIRTUAL MACHINE\Virtual Machines| A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the **Create Symbolic Links** right (SeCreateSymbolicLinkPrivilege), and also the **Log on as a Service** right (SeServiceLogonRight). | - -The following RIDs are relative to each domain. - -| RID |Decimal value| Identifies | -| - | - | - | -| DOMAIN_USER_RID_ADMIN | 500 | The administrative user account in a domain. | -| DOMAIN_USER_RID_GUEST| 501 | The guest-user account in a domain. Users who do not have an account can automatically sign in to this account.| -| DOMAIN_GROUP_RID_USERS | 513 | A group that contains all user accounts in a domain. All users are automatically added to this group.| -| DOMAIN_GROUP_RID_GUESTS | 514 | The group Guest account in a domain.| -| DOMAIN_GROUP_RID_COMPUTERS | 515 | The Domain Computer group. All computers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CONTROLLERS | 516 | The Domain Controller group. All domain controllers in the domain are members of this group.| -| DOMAIN_GROUP_RID_CERT_ADMINS | 517 | The certificate publishers' group. Computers running Active Directory Certificate Services are members of this group.| -| DOMAIN_GROUP_RID_SCHEMA_ADMINS | 518 | The schema administrators' group. Members of this group can modify the Active Directory schema.| -| DOMAIN_GROUP_RID_ENTERPRISE_ADMINS | 519 | The enterprise administrators' group. Members of this group have full access to all domains in the Active Directory forest. Enterprise administrators are responsible for forest-level operations such as adding or removing new domains.| -| DOMAIN_GROUP_RID_POLICY_ADMINS| 520 | The policy administrators' group.| - -The following table provides examples of domain-relative RIDs that are used to form well-known SIDs for local groups. - -| RID | Decimal value | Identifies | -| - | - | - | -| DOMAIN_ALIAS_RID_ADMINS | 544 | Administrators of the domain.| -| DOMAIN_ALIAS_RID_USERS | 545 | All users in the domain.| -| DOMAIN_ALIAS_RID_GUESTS | 546 | Guests of the domain.| -| DOMAIN_ALIAS_RID_POWER_USERS | 547 | A user or a set of users who expect to treat a system as if it were their personal computer rather than as a workstation for multiple users.| -| DOMAIN_ALIAS_RID_BACKUP_OPS | 551 | A local group that is used to control the assignment of file backup-and-restore user rights.| -| DOMAIN_ALIAS_RID_REPLICATOR | 552 | A local group that is responsible for copying security databases from the primary domain controller to the backup domain controllers. These accounts are used only by the system.| -| DOMAIN_ALIAS_RID_RAS_SERVERS | 553 | A local group that represents remote access and servers running Internet Authentication Service (IAS). This group permits access to various attributes of User objects.| - -## Changes in security identifier's functionality - -The following table describes changes in SID implementation in the Windows operating systems that are designated in the list. - -| Change | Operating system version | Description and resources | -| - | - | - | -| Most of the operating system files are owned by the TrustedInstaller security identifier (SID)| Windows Server 2008, Windows Vista| The purpose of this change is to prevent a process that is running as an administrator or under the LocalSystem account from automatically replacing the operating system files. | -| Restricted SID checks are implemented| Windows Server 2008, Windows Vista| When restricting SIDs are present, Windows performs two access checks. The first is the normal access check, and the second is the same access check against the restricting SIDs in the token. Both access checks must pass to allow the process to access the object. | - -## Capability SIDs - -Capability Security Identifiers (SIDs) are used to uniquely and immutably identify capabilities. Capabilities represent an unforgeable token of authority that grants access to resources (Examples: documents, camera, locations etc...) to Universal Windows Applications. An App that “has” a capability is granted access to the resource the capability is associated with, and one that “does not have” a capability is denied access to the resource. - -All Capability SIDs that the operating system is aware of are stored in the Windows Registry in the path `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities'. Any Capability SID added to Windows by first or third-party applications will be added to this location. - -## Examples of registry keys taken from Windows 10, version 1909, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## Examples of registry keys taken from Windows 11, version 21H2, 64-bit Enterprise edition - -You may see the following registry keys under AllCachedCapabilities: - -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_DevUnlock_Internal -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Enterprise -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_General -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Restricted -HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityManager\CapabilityClasses\AllCachedCapabilities\capabilityClass_Windows - -All Capability SIDs are prefixed by S-1-15-3 - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md deleted file mode 100644 index 3120899040..0000000000 --- a/windows/security/identity-protection/access-control/security-principals.md +++ /dev/null @@ -1,148 +0,0 @@ ---- -title: Security Principals (Windows 10) -description: Security Principals -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 04/19/2017 -ms.reviewer: ---- - -# Security Principals - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This reference topic for the IT professional describes security principals in regards to Windows accounts and security groups, in addition to security technologies that are related to security principals. - -## What are security principals? - - -Security principals are any entity that can be authenticated by the operating system, such as a user account, a computer account, or a thread or process that runs in the security context of a user or computer account, or the security groups for these accounts. Security principals have long been a foundation for controlling access to securable resources on Windows computers. Each security principal is represented in the operating system by a unique security identifier (SID). - -The following content applies to the versions of Windows that are designated in the **Applies To** list at the beginning of this topic. - -## How security principals work - - -Security principals that are created in an Active Directory domain are Active Directory objects, which can be used to manage access to domain resources. Each security principal is assigned a unique identifier, which it retains for its entire lifetime. Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are managed by the Security Accounts Manager (SAM) on the local computer. - -### Authorization and access control components - -The following diagram illustrates the Windows authorization and access control process. In this diagram, the subject (a process that is initiated by a user) attempts to access an object, such as a shared folder. The information in the user’s access token is compared to the access control entries (ACEs) in the object’s security descriptor, and the access decision is made. The SIDs of security principals are used in the user’s access token and in the ACEs in the object’s security descriptor. - -**Authorization and access control process** - -![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif) - -Security principals are closely related to the following components and technologies: - -- [Security identifiers](#bkmk-sids) - -- [Access tokens](#bkmk-accesstokens) - -- [Security descriptors and access control lists](#bkmk-sdandacls) - -- [Permissions](#bkmk-permissions) - -### Security identifiers - -Security identifiers (SIDs) provide a fundamental building block of the Windows security model. They work with specific components of the authorization and access control technologies in the security infrastructure of the Windows Server operating systems. This helps protect access to network resources and provides a more secure computing environment. - -A SID is a value of variable length that is used to uniquely identify a security principal that represents any entity that can be authenticated by the system. These entities include a user account, a computer account, or a thread or process that runs in the security context of a user or computer account. Each security principal is automatically assigned a SID when it is created. The SID is stored in a security database. When a SID is used as the unique identifier for a user or group, it can never be used to identify another user or group. - -Each time a user signs in, the system creates an access token for that user. The access token contains the user’s SID, user rights, and the SIDs for groups that the user belongs to. This token provides the security context for whatever actions the user performs on that computer. - -In addition to the uniquely created, domain-specific SIDs that are assigned to specific users and groups, there are well-known SIDs that identify generic groups and generic users. For example, the Everyone and the World SIDs identify groups that includes all users. Well-known SIDs have values that remain constant across all operating systems. - -### Access tokens - -An access token is a protected object that contains information about the identity and user rights that are associated with a user account. - -When a user signs in interactively or tries to make a network connection to a computer running Windows, the sign-in process authenticates the user’s credentials. If authentication is successful, the process returns a SID for the user and a list of SIDs for the user’s security groups. The Local Security Authority (LSA) on the computer uses this information to create an access token (in this case, the primary access token). This includes the SIDs that are returned by the sign-in process and a list of user rights that are assigned by the local security policy to the user and to the user’s security groups. - -After the LSA creates the primary access token, a copy of the access token is attached to every thread and process that executes on the user’s behalf. Whenever a thread or process interacts with a securable object or tries to perform a system task that requires user rights, the operating system checks the access token that is associated with the thread to determine the level of authorization. - -There are two kinds of access tokens, primary and impersonation. Every process has a primary token that describes the security context of the user account that is associated with the process. A primary access token is typically assigned to a process to represent the default security information for that process. Impersonation tokens, on the other hand, are usually used for client and server scenarios. Impersonation tokens enable a thread to run in a security context that differs from the security context of the process that owns the thread. - -### Security descriptors and access control lists - -A security descriptor is a data structure that is associated with each securable object. All objects in Active Directory and all securable objects on a local computer or on the network have security descriptors to help control access to the objects. Security descriptors include information about who owns an object, who can access it and in what way, and what types of access are audited. Security descriptors contain the access control list (ACL) of an object, which includes all of the security permissions that apply to that object. An object’s security descriptor can contain two types of ACLs: - -- A discretionary access control list (DACL), which identifies the users and groups who are allowed or denied access - -- A system access control list (SACL), which controls how access is audited - -You can use this access control model to individually secure objects and attributes such as files and folders, Active Directory objects, registry keys, printers, devices, ports, services, processes, and threads. Because of this individual control, you can adjust the security of objects to meet the needs of your organization, delegate authority over objects or attributes, and create custom objects or attributes that require unique security protections to be defined. - -### Permissions - -Permissions enable the owner of each securable object, such as a file, Active Directory object, or registry key, to control who can perform an operation or a set of operations on the object or object property. Permissions are expressed in the security architecture as access control entries (ACEs). Because access to an object is at the discretion of the object’s owner, the type of access control that is used in Windows is called discretionary access control. - -Permissions are different from user rights in that permissions are attached to objects, and user rights apply to user accounts. Administrators can assign user rights to groups or users. These rights authorize users to perform specific actions, such as signing in to a system interactively or backing up files and directories. - -On computers, user rights enable administrators to control who has the authority to perform operations that affect an entire computer, rather than a particular object. Administrators assign user rights to individual users or groups as part of the security settings for the computer. Although user rights can be managed centrally through Group Policy, they are applied locally. Users can (and usually do) have different user rights on different computers. - -For information about which user rights are available and how they can be implemented, see [User Rights Assignment](/windows/device-security/security-policy-settings/user-rights-assignment). - -### Security context in authentication - -A user account enables a user to sign in to computers, networks, and domains with an identity that can be authenticated by the computer, network, or domain. - -In Windows, any user, service, group, or computer that can initiate action is a security principal. Security principals have accounts, which can be local to a computer or domain-based. For example, domain-joined Windows client computers can participate in a network domain by communicating with a domain controller, even when no user is signed in. - -To initiate communications, the computer must have an active account in the domain. Before accepting communications from the computer, the Local Security Authority on the domain controller authenticates the computer’s identity and then defines the computer’s security context just as it would for a user’s security principal. - -This security context defines the identity and capabilities of a user or service on a particular computer, or of a user, service, group or computer on a network. For example, it defines the resources (such as a file share or printer) that can be accessed and the actions (such as Read, Write, or Modify) that can be performed by a user, service, or computer on that resource. - -The security context of a user or computer can vary from one computer to another, such as when a user authenticates to a server or a workstation other than the user’s primary workstation. It can also vary from one session to another, such as when an administrator modifies the user’s rights and permissions. In addition, the security context is usually different when a user or computer is operating on a stand-alone basis, in a mixed network domain, or as part of an Active Directory domain. - -## Accounts and security groups - - -Accounts and security groups that are created in an Active Directory domain are stored in the Active Directory database and managed by using Active Directory tools. These security principals are directory objects, and they can be used to manage access to domain resources. - -Local user accounts and security groups are created on a local computer, and they can be used to manage access to resources on that computer. Local user accounts and security groups are stored in and managed by the Security Accounts Manager (SAM) on the local computer. - -### User accounts - -A user account uniquely identifies a person who is using a computer system. The account signals the system to enforce the appropriate authorization to allow or deny that user access to resources. User accounts can be created in Active Directory and on local computers, and administrators use them to: - -- Represent, identify, and authenticate the identity of a user. A user account enables a user to sign in to computers, networks, and domains with a unique identifier that can be authenticated by the computer, network, or domain. - -- Authorize (grant or deny) access to resources. After a user has been authenticated, the user is authorized access to resources based on the permissions that are assigned to that user for the resource. - -- Audit the actions that are carried out on a user account. - -Windows and the Windows Server operating systems have built-in user accounts, or you can create user accounts to meet the requirements of your organization. - -### Security groups - -A security group is a collection of user accounts, computer accounts, and other groups of accounts that can be managed as a single unit from a security perspective. In Windows operating systems, there are several built-in security groups that are preconfigured with the appropriate rights and permissions for performing specific tasks. Additionally, you can (and, typically, will) create a security group for each unique combination of security requirements that applies to multiple users in your organization. - -Groups can be Active Directory-based or local to a particular computer: - -- Active Directory security groups are used to manage rights and permissions to domain resources. - -- Local groups exist in the SAM database on local computers (on all Windows-based computers) except domain controllers. You use local groups to manage rights and permissions only to resources on the local computer. - -By using security groups to manage access control, you can: - -- Simplify administration. You can assign a common set of rights, a common set of permissions, or both to many accounts at one time, rather than assigning them to each account individually. Also, when users transfer jobs or leave the organization, permissions are not tied to their user accounts, making permission reassignment or removal easier. - -- Implement a role-based access-control model. You can use this model to grant permissions by using groups with different scopes for appropriate purposes. Scopes that are available in Windows include local, global, domain local, and universal. - -- Minimize the size of access control lists (ACLs) and speed security checking. A security group has its own SID; therefore, the group SID can be used to specify permissions for a resource. In an environment with more than a few thousand users, if the SIDs of individual user accounts are used to specify access to a resource, the ACL of that resource can become unmanageably large, and the time that is needed for the system to check permissions to the resource can become unacceptable. - -For descriptions and settings information about the domain security groups that are defined in Active Directory, see [Active Directory Security Groups](active-directory-security-groups.md). - -For descriptions and settings information about the Special Identities group, see [Special Identities](special-identities.md). - -## See also - -- [Access Control Overview](access-control.md) diff --git a/windows/security/identity-protection/access-control/service-accounts.md b/windows/security/identity-protection/access-control/service-accounts.md deleted file mode 100644 index cd6db0f4f7..0000000000 --- a/windows/security/identity-protection/access-control/service-accounts.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: Service Accounts (Windows 10) -description: Service Accounts -ms.prod: m365-security -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: - - M365-identity-device-management - - highpri -ms.topic: article -ms.localizationpriority: medium -ms.date: 11/19/2021 ---- - -# Service Accounts - -**Applies to** -- Windows 10 -- Windows Server 2016 - -This topic for the IT professional explains group and standalone managed service accounts, and the computer-specific virtual computer account, and it points to resources about these service accounts. - -## Overview - -A service account is a user account that is created explicitly to provide a security context for services running on Windows Server operating systems. The security context determines the service's ability to access local and network resources. The Windows operating systems rely on services to run various features. These services can be configured through the applications, the Services snap-in, or Task Manager, or by using Windows PowerShell. - -This topic contains information about the following types of service accounts: - -- [Standalone managed service accounts](#bkmk-standalonemanagedserviceaccounts) - -- [Group-managed service accounts](#bkmk-groupmanagedserviceaccounts) - -- [Virtual accounts](#bkmk-virtualserviceaccounts) - -### Standalone managed service accounts - -A managed service account is designed to isolate domain accounts in crucial applications, such as Internet Information Services (IIS), and eliminate the need for an administrator to manually administer the service principal name (SPN) and credentials for the accounts. - -To use managed service accounts, the server on which the application or service is installed must be running at least Windows Server 2008 R2. One managed service account can be used for services on a single computer. Managed service accounts cannot be shared between multiple computers, and they cannot be used in server clusters where a service is replicated on multiple cluster nodes. For this scenario, you must use a group-managed service account. For more information, see [Group-Managed Service Accounts Overview](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831782(v=ws.11)). - -In addition to the enhanced security that is provided by having individual accounts for critical services, there are four important administrative benefits associated with managed service accounts: - -- You can create a class of domain accounts that can be used to manage and maintain services on local computers. - -- Unlike domain accounts in which administrators must manually reset passwords, the network passwords for these accounts are automatically reset. - -- You do not have to complete complex SPN management tasks to use managed service accounts. -- You don't have to complete complex SPN management tasks to use managed service accounts. -- Administrative tasks for managed service accounts can be delegated to non-administrators. - -### Software requirements - -Managed service accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -### Group-managed service accounts - -Group-managed service accounts are an extension of the standalone-managed service accounts, which were introduced in Windows Server 2008 R2. These accounts are managed domain accounts that provide automatic password management and simplified service principal name (SPN) management, including delegation of management to other administrators. - -The group-managed service account provides the same functionality as a standalone managed service account within the domain, but it extends that functionality over multiple servers. When connecting to a service that is hosted on a server farm, such as Network Load Balancing, the authentication protocols that support mutual authentication require all instances of the services to use the same principal. When group-managed service accounts are used as service principals, the Windows Server operating system manages the password for the account instead of relying on the administrator to manage the password. - -The Microsoft Key Distribution Service (kdssvc.dll) provides the mechanism to securely obtain the latest key or a specific key with a key identifier for an Active Directory account. This service was introduced in Windows Server 2012, and it does not run on previous versions of the Windows Server operating system. The Key Distribution Service shares a secret, which is used to create keys for the account. These keys are periodically changed. For a group-managed service account, the domain controller computes the password on the key that is provided by the Key Distribution Services, in addition to other attributes of the group-managed service account. - -### Practical applications - -Group-managed service accounts provide a single identity solution for services running on a server farm, or on systems that use Network Load Balancing. By providing a group-managed service account solution, services can be configured for the group-managed service account principal, and the password management is handled by the operating system. - -By using a group-managed service account, service administrators do not need to manage password synchronization between service instances. The group-managed service account supports hosts that are kept offline for an extended time period and the management of member hosts for all instances of a service. This provision means that you can deploy a server farm that supports a single identity to which existing client computers can authenticate without knowing the instance of the service to which they are connecting. - -Failover clusters do not support group-managed service accounts. However, services that run on top of the Cluster service can use a group-managed service account or a standalone managed service account if they are a Windows service, an App pool, a scheduled task, or if they natively support group-managed service account or standalone managed service accounts. - -### Software requirements - -Group-managed service accounts can only be configured and administered on computers running at least Windows Server 2012, but they can be deployed as a single service identity solution in domains that still have domain controllers running operating systems earlier than Windows Server 2012. There are no domain or forest functional level requirements. - -A 64-bit architecture is required to run the Windows PowerShell commands that are used to administer group-managed service accounts. - -A managed service account is dependent on encryption types supported by Kerberos. When a client computer authenticates to a server by using Kerberos protocol, the domain controller creates a Kerberos service ticket that is protected with encryption that the domain controller and the server support. The domain controller uses the account’s **msDS-SupportedEncryptionTypes** attribute to determine what encryption the server supports, and if there is no attribute, it assumes that the client computer does not support stronger encryption types. The Advanced Encryption Standard (AES) must always be configured for managed service accounts. If computers that host the managed service account are configured to not support RC4, authentication will always fail. - -**Note**   -Introduced in Windows Server 2008 R2, the Data Encryption Standard (DES) is disabled by default. For more information about supported encryption types, see [Changes in Kerberos Authentication](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd560670(v=ws.10)). - -Group-managed service accounts are not applicable in Windows operating systems prior to Windows Server 2012. - -### Virtual accounts - -Virtual accounts were introduced in Windows Server 2008 R2 and Windows 7, and are managed local accounts that provide the following features to simplify service administration: - -- The virtual account is automatically managed. - -- The virtual account can access the network in a domain environment. - -- No password management is required. For example, if the default value is used for the service accounts during SQL Server setup on Windows Server 2008 R2, a virtual account that uses the instance name as the service name is established in the format NT SERVICE\\<SERVICENAME>. - -Services that run as virtual accounts access network resources by using the credentials of the computer account in the format <domain\_name>\\<computer\_name>$. - -For information about how to configure and use virtual service accounts, see [Service Accounts Step-by-Step Guide](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd548356(v=ws.10)). - -### Software requirements - -Virtual accounts apply to the Windows operating systems that are designated in the **Applies To** list at the beginning of this topic. - -## See also - - -The following table provides links to other resources that are related to standalone managed service accounts, group-managed service accounts, and virtual accounts. - -| Content type | References | -|---------------|-------------| -| **Product evaluation** | [What's New for Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831451(v=ws.11))
    [Getting Started with Group Managed Service Accounts](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj128431(v=ws.11)) | -| **Deployment** | [Windows Server 2012: Group Managed Service Accounts - Ask Premier Field Engineering (PFE) Platforms - Site Home - TechNet Blogs](https://blogs.technet.com/b/askpfeplat/archive/2012/12/17/windows-server-2012-group-managed-service-accounts.aspx) | -| **Related technologies** | [Security Principals](security-principals.md)
    [What's new in Active Directory Domain Services](/windows-server/identity/whats-new-active-directory-domain-services) | diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md deleted file mode 100644 index 995d23b020..0000000000 --- a/windows/security/identity-protection/access-control/special-identities.md +++ /dev/null @@ -1,448 +0,0 @@ ---- -title: Special Identities (Windows 10) -description: Special Identities -ms.prod: m365-security -ms.technology: windows-sec -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 12/21/2021 -ms.reviewer: ---- - -# Special Identities - -**Applies to** - -- Windows Server 2016 or later - -This reference topic for the IT professional describes the special identity groups (which are sometimes referred to as security groups) that are used in Windows access control. - -Special identity groups are similar to Active Directory security groups as listed in the users and built-in containers. Special identity groups can provide an efficient way to assign access to resources in your network. By using special identity groups, you can: - -- Assign user rights to security groups in Active Directory. -- Assign permissions to security groups for the purpose of accessing resources. - -Servers that are running the supported Windows Server operating systems designated in the **Applies To** list at the beginning of this topic include several special identity groups. These special identity groups do not have specific memberships that can be modified, but they can represent different users at different times, depending on the circumstances. - -Although the special identity groups can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to special identity groups. Users are automatically assigned to these special identity groups whenever they sign in or access a particular resource. - -For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md). - -The special identity groups are described in the following tables: - -- [Anonymous Logon](#anonymous-logon) -- [Attested Key Property](#attested-key-property) -- [Authenticated Users](#authenticated-users) -- [Authentication Authority Asserted Identity](#authentication-authority-asserted-identity) -- [Batch](#batch) -- [Console Logon](#console-logon) -- [Creator Group](#creator-group) -- [Creator Owner](#creator-owner) -- [Dialup](#dialup) -- [Digest Authentication](#digest-authentication) -- [Enterprise Domain Controllers](#enterprise-domain-controllers) -- [Everyone](#everyone) -- [Fresh Public Key Identity](#fresh-public-key-identity) -- [Interactive](#interactive) -- [IUSR](#iusr) -- [Key Trust](#key-trust) -- [Local Service](#local-service) -- [LocalSystem](#localsystem) -- [MFA Key Property](#mfa-key-property) -- [Network](#network) -- [Network Service](#network-service) -- [NTLM Authentication](#ntlm-authentication) -- [Other Organization](#other-organization) -- [Owner Rights](#owner-rights) -- [Principal Self](#principal-self) -- [Proxy](#proxy) -- [Remote Interactive Logon](#remote-interactive-logon) -- [Restricted](#restricted) -- [SChannel Authentication](#schannel-authentication) -- [Service](#service) -- [Service Asserted Identity](#service-asserted-identity) -- [Terminal Server User](#terminal-server-user) -- [This Organization](#this-organization) -- [Window Manager\\Window Manager Group](#window-managerwindow-manager-group) - -## Anonymous Logon - -Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-7 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Attested Key Property - -A SID that means the key trust object had the attestation property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Authenticated Users - -Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-11 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Authentication Authority Asserted Identity - -A SID that means the client's identity is asserted by an authentication authority based on proof of possession of client credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Batch - -Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Console Logon - -A group that includes users who are logged on to the physical console. This SID can be used to implement security policies that grant different rights based on whether a user has been granted physical access to the console. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-2-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Creator Group - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. - -A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Creator Owner - -The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Dialup - -Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Digest Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-21 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| none| - -## Enterprise Domain Controllers - -This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-9 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight| - -## Everyone - -All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group. - -On computers running Windows 2000 and earlier, the Everyone group included the Anonymous Logon group as a default member, but as of Windows Server 2003, the Everyone group contains only Authenticated Users and Guest; and it no longer includes Anonymous Logon by default (although this can be changed, using Registry Editor, by going to the **Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa** key and setting the value of **everyoneincludesanonymous** DWORD to 1). - -Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-1-0 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight
    [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege| - -## Fresh Public Key Identity - -A SID that means the client's identity is asserted by an authentication authority based on proof of current possession of client public key credentials. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-3 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Interactive - -Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## IUSR - -Internet Information Services (IIS) uses this account by default whenever anonymous authentication is enabled. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-17 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Key Trust - -A SID that means the client's identity is based on proof of possession of public key credentials using the key trust object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Local Service - -The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-19 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege
    [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | - -## LocalSystem - -This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-18 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## MFA Key Property - -A SID that means the key trust object had the multifactor authentication (MFA) property. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-5 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network - -This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Network Service - -The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-20 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege
    [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege
    | - -## NTLM Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None| - -## Other Organization - -This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-1000 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Owner Rights - -A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-3-4 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Principal Self - -This identity is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-10 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Proxy - -Identifies a SECURITY_NT_AUTHORITY Proxy. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-8 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Remote Interactive Logon - -This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-14| -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Restricted - -Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-12 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## SChannel Authentication - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-64-14 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Service - -Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-6 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege
    [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege
    | - -## Service Asserted Identity - -A SID that means the client's identity is asserted by a service. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-18-2 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights|None| - -## Terminal Server User - -Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system. - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-13 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## This Organization - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-15 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| None | - -## Window Manager\\Window Manager Group - -| Attribute | Value | -| :--: | :--: | -| Well-Known SID/RID | S-1-5-90 | -|Object Class| Foreign Security Principal| -|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\| -|Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege
    [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege
    | - -## See also - -- [Active Directory Security Groups](active-directory-security-groups.md) - -- [Security Principals](security-principals.md) - -- [Access Control Overview](access-control.md) From b209dcefe4f639da68fd0d944c237c747b0b6d3e Mon Sep 17 00:00:00 2001 From: Liz Long <104389055+lizgt2000@users.noreply.github.com> Date: Thu, 4 Aug 2022 18:00:31 -0400 Subject: [PATCH 50/77] 4246040 change redirect to false --- .openpublishing.redirection.json | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 3acf52720e..c702618554 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19593,42 +19593,42 @@ { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/security-principals.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-principals", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/active-directory-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-default-user-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/microsoft-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-microsoft-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/service-accounts.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-service-accounts", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/active-directory-security-groups.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-groups", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/special-identities.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-special-identities-groups", - "redirect_document_id": true + "redirect_document_id": false }, { "source_path": "windows/security/identity-protection/access-control/dynamic-access-control.md", "redirect_url": "/windows-server/identity/solution-guides/dynamic-access-control-overview", - "redirect_document_id": true + "redirect_document_id": false } ] } From 412ffd4d3df98b97f93df77e17c07f9fad57afac Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Thu, 4 Aug 2022 23:51:25 -0500 Subject: [PATCH 51/77] More changes --- .../deploy/windows-autopatch-register-devices.md | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index fbe99bc055..ad03c51333 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,7 @@ Windows Autopatch can take over software update management of supported devices ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour its discover devices function to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. @@ -49,7 +49,7 @@ Azure AD groups synced up from: > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. > [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the Windows Autopatch Device Registration Azure AD group on demand. +> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant @@ -112,9 +112,7 @@ Registering your devices in Windows Autopatch does the following: ## Steps to register devices -### Physical devices - -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the Windows Autopatch Device Registration Azure AD group to be registered with Windows Autopatch. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group to be registered with Windows Autopatch. **To register physical devices into Windows Autopatch:** @@ -131,7 +129,7 @@ Once devices or Azure AD groups containing devices are added to the **Windows Au ### Windows Autopatch on Windows 365 Enterprise Workloads -With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy process calls the Windows Autopatch device registration APIs to register devices on behalf of the IT admin. +With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. **To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** @@ -152,9 +150,9 @@ For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-36 All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. -### Contact support +### Contact support for device registration-related incidents -Support is available either through Windows 365, or Windows Autopatch for update related incidents. +Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. - For Windows 365 support, see [Get support](/mem/get-support). - For Windows Autopatch support, see [Submit a support request](/windows/deployment/windows-autopatch/operate/windows-autopatch-support-request). From 92eff309b5eab23af933429bbbc6b4cfa6a83a23 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 08:07:01 -0700 Subject: [PATCH 52/77] Update windows-autopatch-register-devices.md Fixed wording --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ad03c51333..649f4f674b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -28,7 +28,7 @@ Windows Autopatch can take over software update management of supported devices ### About the use of an Azure AD group to register devices -You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs every hour its discover devices function to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. +You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] > Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. From 303c0d6e3b286248e10024f907fe1a5f82a3b9d1 Mon Sep 17 00:00:00 2001 From: Nagappan Veerappan Date: Fri, 5 Aug 2022 11:56:54 -0700 Subject: [PATCH 53/77] 0xC00000BB -included for KDC support error 0xC00000BB -included for KDC support error --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 631d982e36..592e53bc19 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,6 +70,8 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | +| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| + ## Errors with unknown mitigation From 2cd104786fe314676895586e3c5050ad934dea04 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 12:59:38 -0700 Subject: [PATCH 54/77] New Changes made at tenant enrollment. --- windows/deployment/windows-autopatch/TOC.yml | 2 + .../windows-autopatch-enroll-tenant.md | 3 + .../windows-autopatch-changes-to-tenant.md | 161 ++++++++++++++++++ 3 files changed, 166 insertions(+) create mode 100644 windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..b61273493f 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -79,6 +79,8 @@ href: operate/windows-autopatch-wqu-unsupported-policies.md - name: Microsoft 365 Apps for enterprise update policies href: references/windows-autopatch-microsoft-365-policies.md + - name: Changes made at tenant enrollment + href: references/windows-autopatch-changes-to-tenant.md - name: Privacy href: references/windows-autopatch-privacy.md - name: Windows Autopatch preview addendum diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 99940fe13f..7ff9f212c0 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -99,6 +99,9 @@ Within the Readiness assessment tool, you'll now see the **Enroll** button. By s Once these actions are complete, you've now successfully enrolled your tenant. +> [!NOTE] +> For more information about changes made to your tenant, see [Changes made at tenant enrollment](../references/windows-autopatch-changes-to-tenant.md). + ### Delete data collected from the Readiness assessment tool You can choose to delete the data we collect directly within the Readiness assessment tool. diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md new file mode 100644 index 0000000000..c6f60baec9 --- /dev/null +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -0,0 +1,161 @@ +--- +title: Changes made at tenant enrollment +description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch +ms.date: 08/04/2022 +ms.prod: w11 +ms.technology: windows +ms.topic: reference +ms.localizationpriority: medium +author: tiaraquan +ms.author: tiaraquan +manager: dougeby +msreviewer: hathind +--- + +# Changes made at tenant enrollment + +## Service principal + +Windows Autopatch will create a service principal in your tenant allowing the service to establish an identity and restrict access to what resources the service has access to within the tenant. For more information, see [Application and service principal objects in Azure Active Directory](/azure/active-directory/develop/app-objects-and-service-principals#service-principal-object). The service principal created by Windows Autopatch is: + +- Modern Workplace Customer APIs + +## Azure Active Directory groups + +Windows Autopatch will create Azure Active Directory groups that are required to operate the service. The following groups are used for targeting Windows Autopatch configurations to devices and management of the service by our service accounts. + +| Group name | Description | +| ----- | ----- | +| Modern Workplace-All | All Modern Workplace users | +| Modern Workplace - Windows 11 Pre-Release Test Devices | Device group for Windows 11 Pre-Release testing. | +| Modern Workplace Devices-All | All Modern Workplace devices | +| Modern Workplace Devices-Windows Autopatch-Test | Immediate ring for device rollout | +| Modern Workplace Devices-Windows Autopatch-First | First production ring for early adopters | +| Modern Workplace Devices-Windows Autopatch-Fast | Fast ring for quick rollout and adoption | +| Modern Workplace Devices-Windows Autopatch-Broad | Final ring for broad rollout into an organization | +| Modern Workplace Devices Dynamic - Windows 10 | Microsoft Managed Desktop Devices with Windows 10

    Group Rule:

    • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
    • `(device.deviceOSVersion -notStartsWith \"10.0.22000\")`

    Exclusions:
    • Modern Workplace - Telemetry Settings for Windows 11
    | +| Modern Workplace Devices Dynamic - Windows 11 | Microsoft Managed Desktop Devices with Windows 11

    Group Rule:

    • `(device.devicePhysicalIds -any _ -startsWith \"[OrderID]:Microsoft365Managed_\")`
    • `(device.deviceOSVersion -startsWith \"10.0.22000\")`

    Exclusions:
    • Modern Workplace - Telemetry Settings for Windows 10
    | +| Modern Workplace Roles - Service Administrator | All users granted access to Modern Workplace Service Administrator Role | +| Modern Workplace Roles - Service Reader | All users granted access to Modern Workplace Service Reader Role | +| Modern Workplace Service - Intune Admin All | Group for Intune Admins

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service - Intune Reader All | Group for Intune readers

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service - Intune Reader MMD | Group for Intune readers of MMD devices and users

    Assigned to:

    • Modern Workplace Service Accounts
    | +| Modern Workplace Service Accounts | Group for Windows Autopatch service accounts | +| Windows Autopatch Device Registration | Group for automatic device registration for Windows Autopatch | + +## Windows Autopatch enterprise applications + +Enterprise applications are applications (software) that a business uses to do its work. + +Windows Autopatch creates an enterprise application in your tenant. This enterprise application is a first party application used to run the Windows Autopatch service. + +| Enterprise application name | Usage | Permissions | +| ----- | ------ | ----- | +| Modern Workplace Management | This enterprise application is a limited first party enterprise application with elevated privileges. This account is used to manage the service, publish baseline configuration updates, and maintain overall service health. |
    • DeviceManagementApps.ReadWrite.All
    • DeviceManagementConfiguration.ReadWrite.All
    • DeviceManagementManagedDevices.PriviligedOperation.All
    • DeviceManagementManagedDevices.ReadWrite.All
    • DeviceManagementRBAC.ReadWrite.All
    • DeviceManagementServiceConfig.ReadWrite.All
    • Directory.Read.All
    • Group.Create
    • Policy.Read.All
    • WindowsUpdates.Read.Write.All
    | + +> [!NOTE] +> Enterprise application authentication is only available on tenants enrolled after July 9th, 2022. For tenants enrolled before this date, Enterprise Application authentication will be made available for enrollment soon. + +## Windows Autopatch cloud service accounts + +Windows Autopatch will create three cloud service accounts in your tenant. These accounts are used to run the service and all need to be excluded from any multi-factor authentication controls. + +> [!NOTE] +> Effective Aug 15th, 2022, these accounts will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. These accounts will be removed with that transition. + +| Cloud service account name | Usage | Mitigating controls | +| ----- | ----- | ------ | +| MsAdmin@tenantDomain.onmicrosoft.com |
    • This account is a limited-service account with administrator privileges. This account is used as an Intune and User administrator to define and configure the tenant for Microsoft Modern desktop devices.
    • This account doesn't have interactive sign-in permissions.  The account performs operations only through the service.
    | Audited sign-ins | +| MsAdminInt@tenantDomain.onmicrosoft.com |
    • This account is an Intune and User administrator account used to define and configure the tenant for Modern Workplace devices.
    • This account is used for interactive sign-in to the customers’ tenant.
    • The use of this account is extremely limited as most operations are exclusively through msadmin (non-interactive).
      • |
      • Restricted to be accessed only from defined secure access workstations (SAWs) through the Modern Workplace - Secure Workstation conditional access policy.
      • Audited sign-ins
      | +| MsTest@tenantDomain.onmicrosoft.com | This is a standard account used as a validation account for initial configuration and roll out of policy, application, and device compliance settings. | Audited sign-ins | + +## Device configuration policies + +- Modern Workplace - Set MDM to Win Over GPO +- Modern Workplace - Telemetry Settings for Windows 10 +- Modern Workplace - Telemetry Settings for Windows 11 +- Modern Workplace-Window Update Detection Frequency +- Modern Workplace - Data Collection + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Set MDM to Win Over GPO | Sets mobile device management (MDM) to win over GPO

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      | | | +| Modern Workplace - Telemetry Settings for Windows 10 | Telemetry settings for Windows 10

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      |[./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) | 2 | +| Modern Workplace - Telemetry Settings for Windows 11 | Telemetry settings for Windows 11

      Assigned to:

      • Modern Workplace Devices-Windows Autopatch-Test
      • Modern Workplace Devices-Windows Autopatch-First
      • Modern Workplace Devices-Windows Autopatch-Fast
      • Modern Workplace Devices-Windows Autopatch-Broad
      |
      • [./Device/Vendor/MSFT/Policy/Config/System/AllowTelemetry ](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitEnhancedDiagnosticDataWindowsAnalytics](/windows/client-management/mdm/policy-csp-system#system-limitenhanceddiagnosticdatawindowsanalytics)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitDumpCollection](/windows/client-management/mdm/policy-csp-system#system-limitdumpcollection)
      • [./Device/Vendor/MSFT/Policy/Config/System/LimitDiagnosticLogCollection](/windows/client-management/mdm/policy-csp-system#system-limitdiagnosticlogcollection)
      |
      • 3
      • 1
      • 1
      • 1
        • | +| Modern Workplace - Windows Update Detection Frequency | Sets Windows update detection frequency

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        | [./Vendor/MSFT/Policy/Config/Update/DetectionFrequency](/windows/client-management/mdm/policy-csp-update#update-detectionfrequency)| 4 | +| Modern Workplace - Data Collection | Allows diagnostic data from this device to be processed by Microsoft Managed Desktop.

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        • Modern Workplace Devices-Windows Autopatch-First
        • Modern Workplace Devices-Windows Autopatch-Fast
        • Modern Workplace Devices-Windows Autopatch-Broad
        | | | + +## Update rings for Windows 10 and later + +- Modern Workplace Update Policy [Test]-[Windows Autopatch] +- Modern Workplace Update Policy [First]-[Windows Autopatch] +- Modern Workplace Update Policy [Fast]-[Windows Autopatch] +- Modern Workplace Update Policy [Broad]-[Windows Autopatch] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace Update Policy [Test]-[Windows Autopatch | Windows Update for Business Configuration for the Test Ring

        Assigned to:

        • Modern Workplace Devices-Windows Autopatch-Test
        |
        • QualityUpdatesDeferralPeriodInDays
        • FeatureUpdatesDeferralPeriodInDays
        • FeatureUpdatesRollbackWindowInDays
        • BusinessReadyUpdatesOnly
        • AutomaticUpdateMode
        • InstallTime
        • DeadlineForFeatureUpdatesInDays
        • DeadlineForQualityUpdatesInDays
        • DeadlineGracePeriodInDays
        • PostponeRebootUntilAfterDeadline
        • DriversExcluded
        |
        • 0
        • 0
        • 30
        • All
        • WindowsDefault
        • 3
        • 5
        • 0
        • 0
        • False
        • False
          • | +| Modern Workplace Update Policy [First]-[Windows Autopatch] | Windows Update for Business Configuration for the First Ring

          Assigned to:

          • Modern Workplace Devices-Windows Autopatch-First
          |
          • QualityUpdatesDeferralPeriodInDays
          • FeatureUpdatesDeferralPeriodInDays
          • FeatureUpdatesRollbackWindowInDays
          • BusinessReadyUpdatesOnly
          • AutomaticUpdateMode
          • InstallTime
          • DeadlineForFeatureUpdatesInDays
          • DeadlineForQualityUpdatesInDays
          • DeadlineGracePeriodInDays
          • PostponeRebootUntilAfterDeadline
          • DriversExcluded
          |
          • 1
          • 0
          • 30
          • All
          • WindowsDefault
          • 3
          • 5
          • 2
          • 2
          • False
          • False
            • | +| Modern Workplace Update Policy [Fast]-[Windows Autopatch] | Windows Update for Business Configuration for the Fast Ring

            Assigned to:

            • Modern Workplace Devices-Windows Autopatch-Fast
            |
            • QualityUpdatesDeferralPeriodInDays
            • FeatureUpdatesDeferralPeriodInDays
            • FeatureUpdatesRollbackWindowInDays
            • BusinessReadyUpdatesOnly
            • AutomaticUpdateMode
            • InstallTime
            • DeadlineForFeatureUpdatesInDays
            • DeadlineForQualityUpdatesInDays
            • DeadlineGracePeriodInDays
            • PostponeRebootUntilAfterDeadline
            • DriversExcluded
            |
            • 6
            • 0
            • 30
            • All
            • WindowsDefault
            • 3
            • 5
            • 2
            • 2
            • False
            • False
              • | +| Modern Workplace Update Policy [Broad]-[Windows Autopatch] | Windows Update for Business Configuration for the Broad Ring

              Assigned to:

              • Modern Workplace Devices-Windows Autopatch-Broad
              |
              • QualityUpdatesDeferralPeriodInDays
              • FeatureUpdatesDeferralPeriodInDays
              • FeatureUpdatesRollbackWindowInDays
              • BusinessReadyUpdatesOnly
              • AutomaticUpdateMode
              • InstallTime
              • DeadlineForFeatureUpdatesInDays
              • DeadlineForQualityUpdatesInDays
              • DeadlineGracePeriodInDays
              • PostponeRebootUntilAfterDeadline
              • DriversExcluded
              |
              • 9
              • 0
              • 30
              • All
              • WindowsDefault
              • 3
              • 5
              • 5
              • 2
              • False
              • False
                • | + +## Feature update policies + +- Modern Workplace DSS Policy [Test] +- Modern Workplace DSS Policy [First] +- Modern Workplace DSS Policy [Fast] +- Modern Workplace DSS Policy [Broad] +- Modern Workplace DSS Policy [Windows 11] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-Test

                Exclude from:
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
                • Modern Workplace Devices-Windows Autopatch-First
                • Modern Workplace - Windows 11 Pre-Release Test Devices
                  • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Fast

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Broad

                  Exclude from:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                  • Modern Workplace - Windows 11 Pre-Release Test Devices
                  | + +## Microsoft Office update policies + +- Modern Workplace - Office ADMX Deployment +- Modern Workplace - Office Configuration v5 +- Modern Workplace - Office Update Configuration [Test] +- Modern Workplace - Office Update Configuration [First] +- Modern Workplace - Office Update Configuration [Fast] +- Modern Workplace - Office Update Configuration [Broad] + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Office ADMX Deployment | ADMX file for Office

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  • Modern Workplace Devices-Windows Autopatch-First
                  • Modern Workplace Devices-Windows Autopatch-Fast
                  • Modern Workplace Devices-Windows Autopatch-Broad
                  | | | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Test
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 0
                  • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-First
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 0
                  • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                  Assigned to:

                  • Modern Workplace Devices-Windows Autopatch-Fast
                  |
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                  • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                  |
                • Enabled; L_UpdateDeadlineID == 7
                • Enabled; L_DeferUpdateDaysID == 3
                  • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                  Assigned to:
                  • Modern Workplace Devices-Windows Autopatch-Broad
                    • |
                    • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                    • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                    |
                  • Enabled; L_UpdateDeadlineID == 7
                  • Enabled; L_DeferUpdateDaysID == 7
                    • | + +## Microsoft Edge update policies + +- Modern Workplace - Edge Update ADMX Deployment +- Modern Workplace - Edge Update Channel Stable +- Modern Workplace - Edge Update Channel Beta + +| Policy name | Policy description | OMA | Value | +| ----- | ----- | ----- | ----- | +| Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | | | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace Devices-Windows Autopatch-Fast
                    • Modern Workplace Devices-Windows Autopatch-Broad
                    | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                    Assigned to:

                    • Modern Workplace Devices-Windows Autopatch-Test
                    | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | + +## Conditional access policies + +> [!NOTE] +> Effective Aug 15, 2022, the following policy will no longer be added to newly enrolled tenants, and existing tenants will be provided an option to migrate to enterprise application-based authentication. This policy will be removed with that transition. + +| Conditional access policy | Description | +| ----- | ----- | +| Modern Workplace - Secure Workstation | This policy is targeted to only the Windows Autopatch cloud service accounts. The policy blocks access to the tenant unless the user is accessing the tenant from a Microsoft authorized location. | + +## PowerShell scripts + +| Script | Description | +| ----- | ----- | +| Modern Workplace - Autopatch Client Setup | Installs necessary client components for the Windows Autopatch service | From f7abc21ecd6e321673444fa36a8bddbfa52050c5 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:05:25 -0700 Subject: [PATCH 55/77] Updated date. --- .../references/windows-autopatch-changes-to-tenant.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index c6f60baec9..e9941f8432 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -1,7 +1,7 @@ --- title: Changes made at tenant enrollment description: This reference article details the changes made to your tenant when enrolling into Windows Autopatch -ms.date: 08/04/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: reference From a6a4c4d22188d334582043dd061c49b608fbb032 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:13:03 -0700 Subject: [PATCH 56/77] Removed OMA column from Feature updates section. --- .../windows-autopatch-changes-to-tenant.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index e9941f8432..d6571ae47a 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -107,13 +107,13 @@ Windows Autopatch will create three cloud service accounts in your tenant. These - Modern Workplace DSS Policy [Broad] - Modern Workplace DSS Policy [Windows 11] -| Policy name | Policy description | OMA | Value | -| ----- | ----- | ----- | ----- | -| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-Test

                    Exclude from:
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                    | -| Modern Workplace DSS Policy [First] | DSS policy for First device group | | Assigned to:
                    • Modern Workplace Devices-Windows Autopatch-First
                    • Modern Workplace - Windows 11 Pre-Release Test Devices
                      • | -| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Fast

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | -| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Broad

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | -| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | | Assigned to:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Policy name | Policy description | Value | +| ----- | ----- | ----- | +| Modern Workplace DSS Policy [Test] | DSS policy for Test device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-Test

                      Exclude from:
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                      | +| Modern Workplace DSS Policy [First] | DSS policy for First device group | Assigned to:
                      • Modern Workplace Devices-Windows Autopatch-First
                      • Modern Workplace - Windows 11 Pre-Release Test Devices
                        • | +| Modern Workplace DSS Policy [Fast] | DSS policy for Fast device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Fast

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Modern Workplace DSS Policy [Broad] | DSS policy for Broad device group | Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad

                        Exclude from:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | +| Modern Workplace DSS Policy [Windows 11] | Windows 11 DSS policy | Assigned to:
                        • Modern Workplace - Windows 11 Pre-Release Test Devices
                        | ## Microsoft Office update policies From aff5e19ba964adffdf0adf63b487e4a84b26c427 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Fri, 5 Aug 2022 13:28:44 -0700 Subject: [PATCH 57/77] Getting rid of the strikethrough because of the double tilde. --- .../windows-autopatch-changes-to-tenant.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md index d6571ae47a..62a9d46a41 100644 --- a/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md +++ b/windows/deployment/windows-autopatch/references/windows-autopatch-changes-to-tenant.md @@ -128,10 +128,10 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | ----- | ----- | ----- | ----- | | Modern Workplace - Office ADMX Deployment | ADMX file for Office

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | | | | Modern Workplace - Office Configuration v5 | Sets Office Update Channel to the Monthly Enterprise servicing branch.

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        • Modern Workplace Devices-Windows Autopatch-First
                        • Modern Workplace Devices-Windows Autopatch-Fast
                        • Modern Workplace Devices-Windows Autopatch-Broad
                        | | | -| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Test
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | -| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-First
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 0
                        • | -| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                        Assigned to:

                        • Modern Workplace Devices-Windows Autopatch-Fast
                        |
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                        • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                        |
                      • Enabled; L_UpdateDeadlineID == 7
                      • Enabled; L_DeferUpdateDaysID == 3
                        • | -| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                        Assigned to:
                        • Modern Workplace Devices-Windows Autopatch-Broad
                          • |
                          • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline
                          • ./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 7
                          • | +| Modern Workplace - Office Update Configuration [Test] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Test
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 0
                          • | +| Modern Workplace - Office Update Configuration [First] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-First
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 0
                          • | +| Modern Workplace - Office Update Configuration [Fast] | Sets the Office update deadline

                          Assigned to:

                          • Modern Workplace Devices-Windows Autopatch-Fast
                          |
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                          • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                          |
                        • Enabled; L_UpdateDeadlineID == 7
                        • Enabled; L_DeferUpdateDaysID == 3
                          • | +| Modern Workplace - Office Update Configuration [Broad] | Sets the Office update deadline
                          Assigned to:
                          • Modern Workplace Devices-Windows Autopatch-Broad
                            • |
                            • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_UpdateDeadline`
                            • `./Device/Vendor/MSFT/Policy/Config/Office365ProPlus~Policy~L_MicrosoftOfficemachine~L_Updates/L_DeferUpdateDays`
                            |
                          • Enabled; L_UpdateDeadlineID == 7
                          • Enabled; L_DeferUpdateDaysID == 7
                            • | ## Microsoft Edge update policies @@ -142,8 +142,8 @@ Windows Autopatch will create three cloud service accounts in your tenant. These | Policy name | Policy description | OMA | Value | | ----- | ----- | ----- | ----- | | Modern Workplace - Edge Update ADMX Deployment | Deploys ADMX update policy for Edge

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | | | -| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | -| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            | ./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge | Enabled | +| Modern Workplace - Edge Update Channel Stable | Deploys updates via the Edge Stable Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-First
                            • Modern Workplace Devices-Windows Autopatch-Fast
                            • Modern Workplace Devices-Windows Autopatch-Broad
                            | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | +| Modern Workplace - Edge Update Channel Beta | Deploys updates via the Edge Beta Channel

                            Assigned to:

                            • Modern Workplace Devices-Windows Autopatch-Test
                            | `./Device/Vendor/MSFT/Policy/Config/MicrosoftEdgeUpdate~Policy~Cat_EdgeUpdate~Cat_Applications~Cat_MicrosoftEdge/Pol_TargetChannelMicrosoftEdge` | Enabled | ## Conditional access policies From 61ae725da30c3a8d91f8b47dbf5115e8eb771682 Mon Sep 17 00:00:00 2001 From: Andre Della Monica Date: Fri, 5 Aug 2022 17:04:24 -0500 Subject: [PATCH 58/77] Several changes including deployment ring updates --- .../windows-autopatch-register-devices.md | 41 +++++---- .../windows-autopatch-update-management.md | 83 ++++++++++++------- 2 files changed, 74 insertions(+), 50 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 649f4f674b..7635a6185b 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/04/2022 +ms.date: 08/05/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management of supported devices as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes: +Windows Autopatch can take over software update management control of devices that meet software-based pre-requisittes as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Windows feature updates](../operate/windows-autopatch-fu-overview.md) @@ -31,7 +31,7 @@ Windows Autopatch can take over software update management of supported devices You must choose what devices to manage with Windows Autopatch by either adding them through direct membership or by nesting other Azure AD dynamic/assigned groups into the **Windows Autopatch Device Registration** Azure AD assigned group. Windows Autopatch automatically runs its discover devices function every hour to discover new devices added to this group. Once new devices are discovered, Windows Autopatch attempts to register these devices. > [!NOTE] -> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the Ready or Not ready tab to register devices on demand. +> Devices that are intended to be managed by the Windows Autopatch service **must** be added into the **Windows Autopatch Device Registration** Azure AD assigned group. Devices can only be added to this group if they have an Azure AD device ID. Windows Autopatch scans the Azure AD group hourly to discover newly added devices to be registered. You can also use the **Discover devices** button in either the **Ready** or **Not ready** tab to register devices on demand. #### Supported scenarios when nesting other Azure AD groups @@ -48,9 +48,6 @@ Azure AD groups synced up from: > [!IMPORTANT] > The **Windows Autopatch Device Registration** Azure AD group only supports one level of Azure AD nested groups. -> [!TIP] -> You can also use the **Discover Devices** button in either the Ready or Not ready tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. - ### Clean up dual state of Hybrid Azure AD joined and Azure registered devices in your Azure AD tenant An [Azure AD dual state](/azure/active-directory/devices/hybrid-azuread-join-plan#handling-devices-with-azure-ad-registered-state) occurs when a device is initially connected to Azure AD as an [Azure AD Registered](/azure/active-directory/devices/concept-azure-ad-register) device. However, when you enable Hybrid Azure AD join, the same device is connected twice to Azure AD but as a [Hybrid Azure AD device](/azure/active-directory/devices/concept-azure-ad-join-hybrid). @@ -66,7 +63,7 @@ It's recommended to detect and clean up stale devices in Azure AD before registe To be eligible for Windows Autopatch management, devices must meet a minimum set of required software-based prerequisites: -- Windows 10 (1809+)/11 Enterprise and Professional edition versions (only x64 architecture). +- Windows 10 (1809+)/11 Enterprise or Professional editions (only x64 architecture). - Either [Hybrid Azure AD-Joined](/azure/active-directory/devices/concept-azure-ad-join-hybrid) or [Azure AD-joined only](/azure/active-directory/devices/concept-azure-ad-join-hybrid) (personal devices aren't supported). - Managed by Microsoft Endpoint Manager. - [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) and/or [Configuration Manager Co-management](/windows/deployment/windows-autopatch/prepare/windows-autopatch-prerequisites#configuration-manager-co-management-requirements). @@ -105,33 +102,39 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role ## Details about the device registration process -Registering your devices in Windows Autopatch does the following: +Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices into the deployment ring groups and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. + +See [Device Registration Overview](../deploy/windows-autopatch-device-registration-overview.md) for more details. ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group to be registered with Windows Autopatch. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. See [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads) for details. +Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. -**To register physical devices into Windows Autopatch:** +**To register devices with Windows Autopatch:** 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Windows Autopatch** from the left navigation menu. 3. Select **Devices**. -4. Select the **Ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. -5. Add either devices through direct membership, or other Azure Active Directory dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. +4. Select either the **Ready** or the **Not ready** tab, then click on the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] > The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. -Once devices or Azure AD groups containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch discovers these devices, and runs software-based prerequisite checks to try to register them with its service. +Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. + +> [!TIP] +> You can also use the **Discover Devices** button in either the **Ready** or **Not ready** tab to discover devices from the **Windows Autopatch Device Registration** Azure AD group on demand. ### Windows Autopatch on Windows 365 Enterprise Workloads -With Windows 365 Enterprise, IT admins are given the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. +Windows 365 Enterprise gives IT admins the option to register devices with the Windows Autopatch service as part of the Windows 365 provisioning policy creation. This option provides a seamless experience for admins and users to ensure your Cloud PCs are always up to date. When IT admins decide to manage their Windows 365 Cloud PCs with Windows Autopatch, the Windows 365 provisioning policy creation process calls Windows Autopatch device registration APIs to register devices on behalf of the IT admin. -**To deploy Windows Autopatch on a Windows 365 Provisioning Policy:** +**To register new Windows 365 Cloud PC devices with Windows Autopatch from the Windows 365 Provisioning Policy:** 1. Go to the [Microsoft Endpoint Manager](https://endpoint.microsoft.com/) admin center. 1. In the left pane, select **Devices**. @@ -144,11 +147,7 @@ With Windows 365 Enterprise, IT admins are given the option to register devices 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. -For general guidance, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). - -#### Deploy Autopatch on Windows 365 for existing Cloud PC - -All your existing Windows 365 Enterprise workloads can be registered into Windows Autopatch by leveraging the same method for any other physical or virtual device. See [steps to register devices](#steps-to-register-devices) for more details. +See [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy) for more information. ### Contact support for device registration-related incidents diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index 04bdc38aae..ca4f999c9d 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- title: Update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 05/30/2022 +ms.date: 08/05/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -9,16 +9,16 @@ ms.localizationpriority: medium author: tiaraquan ms.author: tiaraquan manager: dougeby -msreviewer: hathind +msreviewer: andredm7 --- -# Update management +# Software updates management -Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates. +Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. -## Update types +## Software update workloads -| Update type | Description | +| Software update workload | Description | | ----- | ----- | | Windows quality update | Windows Autopatch uses four update rings to manage Windows quality updates. For more detailed information, see [Windows quality updates](../operate/windows-autopatch-wqu-overview.md). | | Windows feature update | Windows Autopatch uses four update rings to manage Windows feature updates. For more detailed information, see [Windows feature updates](windows-autopatch-fu-overview.md). @@ -27,44 +27,69 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut | Microsoft Edge | For more information, see [Microsoft Edge](../operate/windows-autopatch-edge.md). | | Microsoft Teams | For more information, see [Microsoft Teams](../operate/windows-autopatch-teams.md). | -## Update rings +## Windows Autopatch deployment rings + +During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: + +1. **Modern Workplace Devices-Windows Autopatch-Test** + 1. Deployment ring for testing update deployments prior production rollout. +2. **Modern Workplace Devices-Windows Autopatch-First** + 1. First production deployment ring for early adopters. +3. **Modern Workplace Devices-Windows Autopatch-Fast** + 1. Fast deployment ring for quick rollout and adoption. +4. **Modern Workplace Devices-Windows Autopatch-Broad** + 1. Final deployment ring for broad rollout into the organization. + +Each deployment ring has a different set of update deployment policies to control the updates rollout. + +> [!IMPORTANT] +> Windows Autopatch device registration does not assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent having mission critical devices or devices that are used by executives in the organization from receiving early software update deployments. + +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service have the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] -> Update rings only apply to Windows quality updates. +> Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. -During enrollment, Windows Autopatch creates four Azure Active Directory groups that are used to segment devices into update rings: +### Deployment ring calculation logic -1. Modern Workplace Devices - Test -2. Modern Workplace Devices - First -3. Modern Workplace Devices - Fast -4. Modern Workplace Devices - Broad +The Windows Autopatch deployment ring calculation happens during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md) and it works as follows: -Each of the update rings has a different purpose and assigned a set of policies to control the rollout of updates in each management area. +- If the Windows Autopatch tenant’s existing managed device size is **≤ 200**, the deployment ring assignment is First **(5%)**, Fast **(15%)**, remaining devices go to the Broad ring **(80%)**. +- If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -When a device is enrolled into the Windows Autopatch service, the device is assigned to an update ring so that we have the right distributions across your estate. The distribution of each ring is designed to release to as few devices as possible to get the signals needed to make a quality evaluation of a given release. -> [!NOTE] -> You can't create additional rings for managed devices and must use the four rings provided by Windows Autopatch. - -| Ring | Default device count | Description +| Deployment ring | Default device balancing percentage | Description | ----- | ----- | ----- | -| Test | zero | Windows Autopatch doesn't automatically add devices to this ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • 0–500 devices: minimum one device
                            • 500–5000 devices: minimum five devices
                            • 5000+ devices: min 50 devices
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | -| First | 1% | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all customers. For example, we can generate a statistically significant signal saying that critical errors are trending up in a specific release for all customers but can't be confident that it's doing so in your environment.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this ring might experience outages if there are scenarios that weren't covered during testing in the Test ring.| -| Fast | 9% | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this ring is to cross the 500-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | -| Broad | 90% | The Broad ring is the last group of users to receive changes. Since it contains most of the devices enrolled in Windows Autopatch, it favors stability over speed in deployment.| +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| First | **1%** | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| +| Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | +| Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| -## Moving devices between rings +## Moving devices in between deployment rings -If you want to move separate devices to different rings, repeat the following steps for each device: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab: 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. -3. Select the devices you want to assign. All selected devices will be assigned to the ring you specify. +3. In the **Ready** tab, select one or more devices you want to assign. All selected devices will be assigned to the deployment ring you specify. 4. Select **Device actions** from the menu. 5. Select **Assign device to ring**. A fly-in opens. -6. Use the dropdown menu to select the ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. +6. Use the dropdown menu to select the deployment ring to move devices to, and then select **Save**. The **Ring assigned by** column will change to **Pending**. -When the assignment is complete, the **Ring assigned by** column will change to Admin (indicates that you made the change) and the **Ring** column will show the new ring assignment. +When the assignment is complete, the **Ring assigned by** column changes to **Admin** (which indicates that you made the change) and the **Ring** column shows the new deployment ring assignment. > [!NOTE] -> You can't move devices to other rings if they're in the "error" or "pending" registration state.

                            If a device hasn't been properly removed, it could show a status of "ready." If you move such a device, it's possible that the move won't be complete. If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check that the device is available by searching for it in Intune. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). +> You can only move devices to other deployment rings when they're in an active state in the **Ready** tab.

                            If you don't see the **Ring assigned by column** change to **Pending** in Step 5, check to see whether the device exists in Microsoft Endpoint Manager-Intune or not by searching for it in its device blade. For more information, see [Device details in Intune](/mem/intune/remote-actions/device-inventory). + +## Automated deployment ring remediation functions + +Windows Autopatch monitors device membership in its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**) to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. +These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process or in case an issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). + +There are two automated deployment ring remediation functions, they work as follows: + +- **Check Device Deployment Ring Membership:** Every hour, Windows Autopatch checks to see if its managed devices are not part of one of the deployment rings. When for some reason, a device is not part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). +- **Multi-deployment ring device remediator:** Every hour, Windows Autopatch checks to see if its managed devices are part of multiple deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). When for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring. + +> [!IMPORTANT] +> Windows Autopatch automated deployment ring functions do not assign/remove devices to/from its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). \ No newline at end of file From 7bcd1ae5f8bdd8cd333f2096bef4a16d0ff20eef Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:09:59 -0700 Subject: [PATCH 59/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 7635a6185b..ffe221e0e8 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -107,7 +107,7 @@ Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. 2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. -See [Device Registration Overview](../deploy/windows-autopatch-device-registration-overview.md) for more details. +For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). ## Steps to register devices @@ -119,11 +119,11 @@ Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/). 2. Select **Windows Autopatch** from the left navigation menu. 3. Select **Devices**. -4. Select either the **Ready** or the **Not ready** tab, then click on the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. +4. Select either the **Ready** or the **Not ready** tab, then select the **Windows Autopatch Device Registration** hyperlink. The Azure Active Directory group blade opens. 5. Add either devices through direct membership, or other Azure AD dynamic or assigned groups as nested groups in the **Windows Autopatch Device Registration** group. > [!NOTE] -> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both Ready and Not ready tabs. +> The **Windows Autopatch Device Registration** hyperlink is in the center of the Ready tab when there's no devices registered with the Windows Autopatch service. Once you have one or more devices registered with the Windows Autopatch service, the **Windows Autopatch Device registration** hyperlink is at the top of both **Ready** and **Not ready** tabs. Once devices or other Azure AD groups (either dynamic or assigned) containing devices are added to the **Windows Autopatch Device Registration** group, Windows Autopatch's device discovery hourly function discovers these devices, and runs software-based prerequisite checks to try to register them with its service. From 72d02f12dd522d6a190ff395d8f103264dab7e6e Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:10:29 -0700 Subject: [PATCH 60/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index ffe221e0e8..3e9c580eab 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -18,7 +18,7 @@ Before Microsoft can manage your devices in Windows Autopatch, you must have dev ## Before you begin -Windows Autopatch can take over software update management control of devices that meet software-based pre-requisittes as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: +Windows Autopatch can take over software update management control of devices that meet software-based prerequisites as soon as an IT admin decides to have their tenant managed by the service. The Windows Autopatch software update management scope includes the following software update workloads: - [Windows quality updates](../operate/windows-autopatch-wqu-overview.md) - [Windows feature updates](../operate/windows-autopatch-fu-overview.md) From 5f95b79e4267daaf7085bfce4f64a01c85210b0d Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:12:22 -0700 Subject: [PATCH 61/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 3e9c580eab..8882798bf0 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,7 +111,7 @@ For more information, see [Device registration overview](../deploy/windows-autop ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. See [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads) for details. +Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. **To register devices with Windows Autopatch:** @@ -147,8 +147,7 @@ Windows 365 Enterprise gives IT admins the option to register devices with the W 1. Assign your policy accordingly and select **Next**. 1. Select **Create**. Now your newly provisioned Windows 365 Enterprise Cloud PCs will automatically be enrolled and managed by Windows Autopatch. -See [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy) for more information. - +For more information, see [Create a Windows 365 Provisioning Policy](/windows-365/enterprise/create-provisioning-policy). ### Contact support for device registration-related incidents Support is available either through Windows 365, or the Windows Autopatch Service Engineering team for device registration-related incidents. From a43223bdb1a463ce9509227fc07d11139b49f1be Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:16:18 -0700 Subject: [PATCH 62/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index 8882798bf0..d9c1c1b737 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -111,7 +111,7 @@ For more information, see [Device registration overview](../deploy/windows-autop ## Steps to register devices -Any device (either physical or virtual) that contains an Azure AD device ID can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on WIndows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). +Any device (either physical or virtual) that contains an Azure AD device ID, can be added into the **Windows Autopatch Device Registration** Azure AD group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group, so it can be registered with Windows Autopatch. The only exception is new Windows 365 Cloud PCs, as these virtual devices must be registered with Windows Autopatch from the Windows 365 provisioning policy. For more information, see [Windows Autopatch on Windows 365 Enterprise Workloads](#windows-autopatch-on-windows-365-enterprise-workloads). Since existing Windows 365 Cloud PCs already have an existing Azure AD device ID, these devices can be added into the **Windows Autopatch Device Registration** Azure group through either direct membership or by being part of another Azure AD group (either dynamic or assigned) that's nested to this group. **To register devices with Windows Autopatch:** From 7087f64faccad2a8f988b5afcb2dc184f3c9efde Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 15:16:59 -0700 Subject: [PATCH 63/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index d9c1c1b737..b39a0022a6 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -105,7 +105,7 @@ For more information, see [Azure AD built-in roles](/azure/active-directory/role Registering your devices with Windows Autopatch does the following: 1. Makes a record of devices in the service. -2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software updates management. +2. Assign devices to the [deployment rings](../operate/windows-autopatch-update-management.md) and other groups required for software update management. For more information, see [Device registration overview](../deploy/windows-autopatch-device-registration-overview.md). From aa0bc31fd3445b60c92c0975841f3bbe32fcea38 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 20:35:05 -0700 Subject: [PATCH 64/77] Update windows-autopatch-register-devices.md --- .../deploy/windows-autopatch-register-devices.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md index b39a0022a6..61a5e35dfe 100644 --- a/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md +++ b/windows/deployment/windows-autopatch/deploy/windows-autopatch-register-devices.md @@ -1,7 +1,7 @@ --- title: Register your devices description: This article details how to register devices in Autopatch -ms.date: 08/05/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: how-to From a4b05ba7654e076d0935000a8dd646a75b8b3294 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Fri, 5 Aug 2022 20:48:56 -0700 Subject: [PATCH 65/77] Update windows-autopatch-update-management.md Reviewed. --- .../windows-autopatch-update-management.md | 48 ++++++++++--------- 1 file changed, 26 insertions(+), 22 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md index ca4f999c9d..983a41a940 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-update-management.md @@ -1,7 +1,7 @@ --- -title: Update management +title: Software update management description: This article provides an overview of how updates are handled in Autopatch -ms.date: 08/05/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: overview @@ -12,7 +12,7 @@ manager: dougeby msreviewer: andredm7 --- -# Software updates management +# Software update management Keeping your devices up to date is a balance of speed and stability. Windows Autopatch connects all devices to a modern cloud-based infrastructure to manage updates on your behalf. @@ -31,21 +31,19 @@ Keeping your devices up to date is a balance of speed and stability. Windows Aut During the [tenant enrollment process](../prepare/windows-autopatch-enroll-tenant.md), Windows Autopatch creates four Azure AD assigned groups that are used to segment devices into its deployment rings: -1. **Modern Workplace Devices-Windows Autopatch-Test** - 1. Deployment ring for testing update deployments prior production rollout. -2. **Modern Workplace Devices-Windows Autopatch-First** - 1. First production deployment ring for early adopters. -3. **Modern Workplace Devices-Windows Autopatch-Fast** - 1. Fast deployment ring for quick rollout and adoption. -4. **Modern Workplace Devices-Windows Autopatch-Broad** - 1. Final deployment ring for broad rollout into the organization. +| Ring | Description | +| ----- | ----- | +| **Modern Workplace Devices-Windows Autopatch-Test** | Deployment ring for testing update deployments prior production rollout.| +| **Modern Workplace Devices-Windows Autopatch-First** | First production deployment ring for early adopters.| +| **Modern Workplace Devices-Windows Autopatch-Fast** | Fast deployment ring for quick rollout and adoption. | +| **Modern Workplace Devices-Windows Autopatch-Broad** | Final deployment ring for broad rollout into the organization. | Each deployment ring has a different set of update deployment policies to control the updates rollout. > [!IMPORTANT] -> Windows Autopatch device registration does not assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent having mission critical devices or devices that are used by executives in the organization from receiving early software update deployments. +> Windows Autopatch device registration doesn't assign devices to its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). This is intended to prevent devices that are essential to a business from being affected or devices that are used by executives from receiving early software update deployments. -Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service have the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. +Also, during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md), Windows Autopatch assigns each device being registered to one of its deployment rings so that the service has the proper representation of the device diversity across the organization in each deployment ring. The deployment ring distribution is designed to release software update deployments to as few devices as possible to get the signals needed to make a quality evaluation of a given update deployment. > [!NOTE] > Windows Autopatch deployment rings only apply to Windows quality updates. Additionally, you can't create additional deployment rings or use your own for devices managed by the Windows Autopatch service. @@ -58,16 +56,18 @@ The Windows Autopatch deployment ring calculation happens during the [device reg - If the Windows Autopatch tenant’s existing managed device size is **>200**, the deployment ring assignment will be First **(1%)**, Fast **(9%)**, remaining devices go to the Broad ring **(90%)**. -| Deployment ring | Default device balancing percentage | Description +| Deployment ring | Default device balancing percentage | Description | | ----- | ----- | ----- | -| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:

                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | +| Test | **zero** | Windows Autopatch doesn't automatically add devices to this deployment ring. You must manually add devices to the Test ring. The recommended number of devices in this ring, based upon your environment size, is as follows:
                            • **0–500** devices: minimum **one** device.
                            • **500–5000** devices: minimum **five** devices.
                            • **5000+** devices: minimum **50** devices.
                            Devices in this group are intended for your IT Administrators and testers since changes are released here first. This release schedule provides your organization the opportunity to validate updates prior to reaching production users. | | First | **1%** | The First ring is the first group of production users to receive a change.

                            This group is the first set of devices to send data to Windows Autopatch and are used to generate a health signal across all end-users. For example, Windows Autopatch can generate a statistically significant signal saying that critical errors are trending up in a specific release for all end-users, but can't be confident that it's doing so in your organization.

                            Since Windows Autopatch doesn't yet have sufficient data to inform a release decision, devices in this deployment ring might experience outages if there are scenarios that weren't covered during early testing in the Test ring.| | Fast | **9%** | The Fast ring is the second group of production users to receive changes. The signals from the First ring are considered as a part of the release process to the Broad ring.

                            The goal with this deployment ring is to cross the **500**-device threshold needed to generate statistically significant analysis at the tenant level. These extra devices allow Windows Autopatch to consider the effect of a release on the rest of your devices and evaluate if a targeted action for your tenant is needed.

                            | | Broad | Either **80%** or **90%** | The Broad ring is the last group of users to receive software update deployments. Since it contains most of the devices registered with Windows Autopatch, it favors stability over speed in an software update deployment.| ## Moving devices in between deployment rings -If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab: +If you want to move separate devices to different deployment rings, after Windows Autopatch's deployment ring assignment, you can repeat the following steps for one or more devices from the **Ready** tab. + +**To move devices in between deployment rings:** 1. In Microsoft Endpoint Manager, select **Devices** in the left pane. 2. In the **Windows Autopatch** section, select **Devices**. @@ -83,13 +83,17 @@ When the assignment is complete, the **Ring assigned by** column changes to **Ad ## Automated deployment ring remediation functions -Windows Autopatch monitors device membership in its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**) to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. -These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process or in case an issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). +Windows Autopatch monitors device membership in its deployment rings, except for the **Modern Workplace Devices-Windows Autopatch-Test** ring, to provide automated deployment ring remediation functions to mitigate the risk of not having its managed devices being part of one of its deployment rings. These automated functions help mitigate risk of potentially having devices in a vulnerable state, and exposed to security threats in case they're not receiving update deployments due to either: -There are two automated deployment ring remediation functions, they work as follows: +- Changes performed by the IT admin on objects created by the Windows Autopatch tenant enrollment process, or +- An issue occurred which prevented devices from getting a deployment rings assigned during the [device registration process](../deploy/windows-autopatch-device-registration-overview.md). -- **Check Device Deployment Ring Membership:** Every hour, Windows Autopatch checks to see if its managed devices are not part of one of the deployment rings. When for some reason, a device is not part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). -- **Multi-deployment ring device remediator:** Every hour, Windows Autopatch checks to see if its managed devices are part of multiple deployment rings (all but the **Modern Workplace Devices-Windows Autopatch-Test**). When for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring. +There are two automated deployment ring remediation functions: + +| Function | Description | +| ----- | ----- | +| **Check Device Deployment Ring Membership** | Every hour, Windows Autopatch checks to see if any of its managed devices aren't part of one of the deployment rings. If, for some reason, a device isn't part of a deployment ring, Windows Autopatch randomly assigns the device to one of its deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). | +| **Multi-deployment ring device remediator:**| Every hour, Windows Autopatch checks to see if any of its managed devices are part of multiple deployment rings (except for the **Modern Workplace Devices-Windows Autopatch-Test** ring). If, for some reason, a device is part of multiple deployment rings, Windows Autopatch randomly removes device of one or more deployment rings until the device is only part of one deployment ring.| > [!IMPORTANT] -> Windows Autopatch automated deployment ring functions do not assign/remove devices to/from its test deployment ring (**Modern Workplace Devices-Windows Autopatch-Test**). \ No newline at end of file +> Windows Autopatch automated deployment ring functions doesn't assign or remove devices to or from the **Modern Workplace Devices-Windows Autopatch-Test** ring. From 2edc2aae659d6088babeda5d468b0280ceb2727b Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:53:43 -0700 Subject: [PATCH 66/77] Update windows-autopatch-microsoft-365-apps-enterprise.md Fixing broken link. --- .../windows-autopatch-microsoft-365-apps-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md index 8f286647f4..ddefb5977c 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-microsoft-365-apps-enterprise.md @@ -1,7 +1,7 @@ --- title: Microsoft 365 Apps for enterprise description: This article explains how Microsoft 365 Apps for enterprise updates are managed in Windows Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -88,7 +88,7 @@ Since quality updates are bundled together into a single release in the [Monthly A [service profile](/deployoffice/admincenter/servicing-profile#compatibility-with-other-management-tools) takes precedence over other management tools, such as Microsoft Endpoint Manager or the Office Deployment Tool. This means that the servicing profile will affect all devices that meet the [device eligibility requirements](#device-eligibility) regardless of existing management tools in your environment. So, if you're targeting a managed device with a servicing profile it will be ineligible for Microsoft 365 App update management. -However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [update type](windows-autopatch-update-management.md#update-types), see the Device eligibility section of each respective update type. +However, the device may still be eligible for other managed updates. For more information about a device's eligibility for a given [software update workload](windows-autopatch-update-management.md#software-update-workloads), see the Device eligibility section of each respective software update workload. ## Incidents and outages From 32cad8f28805da1542b526280d8eadf52cb76a35 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:55:26 -0700 Subject: [PATCH 67/77] Update windows-autopatch-wqu-overview.md Fixing broken link. --- .../operate/windows-autopatch-wqu-overview.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md index e58e36cbfd..c7c96c2575 100644 --- a/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md +++ b/windows/deployment/windows-autopatch/operate/windows-autopatch-wqu-overview.md @@ -1,7 +1,7 @@ --- title: Windows quality updates description: This article explains how Windows quality updates are managed in Autopatch -ms.date: 05/30/2022 +ms.date: 08/08/2022 ms.prod: w11 ms.technology: windows ms.topic: conceptual @@ -37,7 +37,7 @@ For a device to be eligible for Windows quality updates as a part of Windows Aut Windows Autopatch deploys the [B release of Windows quality updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-quality-updates-primer/ba-p/2569385) that are released on the second Tuesday of each month. -To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update ring to control the rollout. There are three primary policies that are used to control Windows quality updates: +To release updates to devices in a gradual manner, Windows Autopatch deploys a set of mobile device management (MDM) policies to each update deployment ring to control the rollout. There are three primary policies that are used to control Windows quality updates: | Policy | Description | | ----- | ----- | @@ -48,7 +48,7 @@ To release updates to devices in a gradual manner, Windows Autopatch deploys a s > [!IMPORTANT] > Deploying deferral, deadline, or grace period policies which conflict with Autopatch's policies will cause a device to be considered ineligible for management, it will still receive policies from Windows Autopatch that are not in conflict, but may not function as designed. These devices will be marked as ineligible in our device reporting and will not count towards our [service level objective](#service-level-objective). -Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Update rings](../operate/windows-autopatch-update-management.md#update-rings). +Windows Autopatch configures these policies differently across update rings to gradually release the update to devices in your estate. Devices in the Test ring receive changes first and devices in the Broad ring receive changes last. For more information, see [Windows Autopatch deployment rings](../operate/windows-autopatch-update-management.md#windows-autopatch-deployment-rings). :::image type="content" source="../media/release-process-timeline.png" alt-text="Release process timeline"::: From 48431f0f1ffed90af3bc486422e73c5fac76d16c Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:56:57 -0700 Subject: [PATCH 68/77] Update windows-autopatch-faq.yml Fixing broken link. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index 29d2234dde..e31bd34de9 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -96,9 +96,9 @@ sections: - question: Can you customize the scheduling of an update rollout to only install on certain days and times? answer: | No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - - question: Does Autopatch support include and exclude groups, or dynamic groups to define ring membership? + - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update ring membership using your Azure AD groups. For more information, see [Move devices between rings](../operate/windows-autopatch-update-management.md#moving-devices-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. From 03dd00bf5b2f1227f5dc17172409fa7a14d650b8 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 19:57:14 -0700 Subject: [PATCH 69/77] Update windows-autopatch-faq.yml Updated date. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index e31bd34de9..ef94430a67 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -4,7 +4,7 @@ metadata: description: Answers to frequently asked questions about Windows Autopatch. ms.prod: w11 ms.topic: faq - ms.date: 07/06/2022 + ms.date: 08/08/2022 audience: itpro ms.localizationpriority: medium manager: dougeby From 32cea86a4922cea7bcdebeb12e2e1a86a8bce323 Mon Sep 17 00:00:00 2001 From: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Date: Sat, 6 Aug 2022 20:05:51 -0700 Subject: [PATCH 70/77] Update windows-autopatch-faq.yml Fixed link. --- .../windows-autopatch/overview/windows-autopatch-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml index ef94430a67..54b36ea6ce 100644 --- a/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml +++ b/windows/deployment/windows-autopatch/overview/windows-autopatch-faq.yml @@ -98,7 +98,7 @@ sections: No, you can't customize update scheduling. However, you can specify [active hours](../operate/windows-autopatch-wqu-end-user-exp.md#servicing-window) to prevent users from updating during business hours. - question: Does Autopatch support include and exclude groups, or dynamic groups to define deployment ring membership? answer: | - Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-rings). + Windows autopatch doesn't support managing update deployment ring membership using your Azure AD groups. For more information, see [Moving devices in between deployment rings](../operate/windows-autopatch-update-management.md#moving-devices-in-between-deployment-rings). - question: Does Autopatch have two release cadences per update or are there two release cadences per-ring? answer: | The release cadences are defined based on the update type. For example, a [regular cadence](../operate/windows-autopatch-wqu-overview.md#windows-quality-update-releases) (for a Windows quality update would be a gradual rollout from the Test ring to the Broad ring over 14 days whereas an [expedited release](../operate/windows-autopatch-wqu-overview.md#expedited-releases) would roll out more rapidly. From 5cb7010bb258c28ab1eb78b8d3cc94f614072339 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 2 May 2022 18:33:00 +0530 Subject: [PATCH 71/77] Acrolinx enhancement --- ...ystem-image-using-configuration-manager.md | 6 +- ...-windows-pe-using-configuration-manager.md | 16 +-- ...e-boot-image-with-configuration-manager.md | 12 +- ...ence-with-configuration-manager-and-mdt.md | 16 +-- ...-windows-10-using-configuration-manager.md | 13 +- ...-10-using-pxe-and-configuration-manager.md | 19 +-- ...0-deployment-with-configuration-manager.md | 18 +-- ...f-windows-10-with-configuration-manager.md | 74 +++++----- ...-windows-10-using-configuration-manager.md | 12 +- ...-windows-10-using-configuration-manager.md | 37 ++--- ...o-windows-10-with-configuration-manager.md | 18 +-- ...d-environment-for-windows-10-deployment.md | 17 +-- .../configure-mdt-deployment-share-rules.md | 6 +- .../configure-mdt-settings.md | 7 +- .../create-a-windows-10-reference-image.md | 131 +++++++++--------- .../deploy-a-windows-10-image-using-mdt.md | 99 +++++++------ ...d-with-the-microsoft-deployment-toolkit.md | 39 +++--- 17 files changed, 272 insertions(+), 268 deletions(-) diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md index 1e4ef75b50..af75531621 100644 --- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md @@ -21,8 +21,8 @@ Operating system images are typically the production image used for deployment t ## Infrastructure -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -46,7 +46,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is 5. On the **General** page, assign the name Windows 10 Enterprise x64 RTM, click **Next** twice, and then click **Close**. 6. Distribute the operating system image to the CM01 distribution point by right-clicking the **Windows 10 Enterprise x64 RTM** operating system image and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 Enterprise x64 RTM package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ![figure 18.](../images/fig18-distwindows.png) diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md index 4dad48dc9d..1d57288f6f 100644 --- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md @@ -17,10 +17,10 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it is likely you will have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. +In this topic, you'll learn how to configure the Windows Preinstallation Environment (Windows PE) to include the network drivers required to connect to the deployment share and the storage drivers required to see the local storage on machines. Even though the Windows PE boot image and the Windows 10 operating system contain many out-of-the-box drivers, it's likely you'll have to add new or updated drivers to support all your hardware. In this section, you import drivers for both Windows PE and the full Windows 10 operating system. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -29,9 +29,9 @@ For the purposes of this guide, we will use one server computer: CM01. This section will show you how to import some network and storage drivers for Windows PE. >[!NOTE] ->Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. +>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you've an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure. -This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. +This section assumes you've downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01. ![Drivers.](../images/cm01-drivers.png) @@ -58,7 +58,7 @@ On **CM01**: This section illustrates how to add drivers for Windows 10 using the HP EliteBook 8560w as an example. Use the HP Image Assistant from the [HP Client Management Solutions site](https://hp.com/go/clientmanagement). -For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. +For the purposes of this section, we assume that you've downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01. ![Drivers in Windows.](../images/cm01-drivers-windows.png) @@ -81,9 +81,9 @@ On **CM01**: * Path: \\\\CM01\\Sources$\\OSD\\DriverPackages\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w >[!NOTE] - >The package path does not yet exist, so you have to type it in. The wizard will create the new package using the path you specify. + >The package path does not yet exist, so you've to type it in. The wizard will create the new package using the path you specify. -5. On the **Select drivers to include in the boot image** page, do not select anything, and click **Next** twice. After the package has been created, click **Close**. +5. On the **Select drivers to include in the boot image** page, don't select anything, and click **Next** twice. After the package has been created, click **Close**. >[!NOTE] >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import. diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md index e925ac8f45..fb7aae6b8e 100644 --- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md @@ -20,16 +20,16 @@ ms.custom: seo-marvel-apr2020 In Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process. - The boot image that is created is based on the version of ADK that is installed. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). ## Add DaRT 10 files and prepare to brand the boot image -The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. +The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you don't wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image. -We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. +We assume you've downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you've created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named ContosoBackground.bmp. On **CM01**: @@ -42,7 +42,7 @@ On **CM01**: ## Create a boot image for Configuration Manager using the MDT wizard -By using the MDT wizard to create the boot image in Configuration Manager, you gain additional options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. +By using the MDT wizard to create the boot image in Configuration Manager, you gain more options for adding components and features to the boot image. In this section, you create a boot image for Configuration Manager using the MDT wizard. On **CM01**: @@ -65,7 +65,7 @@ On **CM01**: 6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**. 7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**. 8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard. -9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: +9. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Don't continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples: ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)
                            ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png) diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md index 260b79eadd..f846694f35 100644 --- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md +++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md @@ -16,10 +16,10 @@ ms.topic: article - Windows 10 -In this article, you will learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. +In this article, you'll learn how to create a Configuration Manager task sequence with Microsoft Deployment Toolkit (MDT) integration using the MDT wizard. Creating task sequences in Configuration Manager requires many more steps than creating task sequences for MDT Lite Touch installation. Luckily, the MDT wizard helps you through the process and also guides you through creating the needed packages. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). Note: Active Directory [permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) for the **CM_JD** account are required for the task sequence to work properly. @@ -93,9 +93,9 @@ On **CM01**: Add an application to the Configuration Manager task sequence >[!NOTE] - >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There is also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. + >In recent versions of Configuration Manager the Request State Store and Release State Store actions described below are present by default. These actions are used for common computer replace scenarios. There's also the additional condition on the options tab: USMTOfflineMigration not equals TRUE. If these actions are not present, try updating to the Config Mgr current branch release. -9. In the **State Restore** group, after the **Set Status 5** action, verify there is a **User State \ Request State Store** action with the following settings: +9. In the **State Restore** group, after the **Set Status 5** action, verify there's a **User State \ Request State Store** action with the following settings: * Request state storage location to: Restore state from another computer * If computer account fails to connect to state store, use the Network Access account: selected * Options: Continue on error @@ -103,7 +103,7 @@ On **CM01**: * Task Sequence Variable * USMTLOCAL not equals True -10. In the **State Restore** group, after the **Restore User State** action, verify there is a **Release State Store** action with the following settings: +10. In the **State Restore** group, after the **Restore User State** action, verify there's a **Release State Store** action with the following settings: * Options: Continue on error * Options / Condition: * Task Sequence Variable @@ -113,14 +113,14 @@ On **CM01**: ## Organize your packages (optional) -If desired, you can create a folder structure for packages. This is purely for organizational purposes and is useful if you need to manage a large number of packages. +If desired, you can create a folder structure for packages. This folder structure is purely for organizational purposes and is useful if you need to manage a large number of packages. To create a folder for packages: On **CM01**: 1. Using the Configuration Manager Console, in the Software Library workspace, expand **Application Management**, and then select **Packages**. -2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This will create the Root \ OSD folder structure. +2. Right-click **Packages**, point to **Folder**, click **Create Folder** and create the OSD folder. This process will create the Root \ OSD folder structure. 3. Select the **MDT**, **User State Migration Tool for Windows**, and **Windows 10 x64 Settings** packages, right-click and select **Move**. 4. In the **Move Selected Items** dialog box, select the **OSD** folder, and click **OK**. diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md index caae9de1b6..102b3ae2d6 100644 --- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Create an app to deploy with Windows 10 using Configuration Manager -description: Microsoft Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +description: Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. +ms.assetid: 2dfb2f39-1597-4999-b4ec-b063e8a8c90c ms.reviewer: manager: dougeby ms.author: aaroncz @@ -19,8 +20,8 @@ ms.topic: article Microsoft Endpoint Manager supports deploying applications as part of the Windows 10 deployment process. In this section, you create an application in Microsoft Endpoint Manager that you later configure the task sequence to use. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. >[!NOTE] >The [reference image](add-a-windows-10-operating-system-image-using-configuration-manager.md) used in this lab already contains some applications, such as Microsoft Office 365 Pro Plus x64. The procedure demonstrated in this article enables you to add some additional custom applications beyond those included in the reference image. @@ -29,9 +30,9 @@ For the purposes of this guide, we will use one server computer: CM01. On **CM01**: -1. Create the **D:\Setup** folder if it does not already exist. +1. Create the **D:\Setup** folder if it doesn't already exist. 1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (ex: AcroRdrDC2000620034_en_US.exe) to **D:\\Setup\\Adobe** on CM01. The filename will differ depending on the version of Acrobat Reader. -2. Extract the .exe file that you downloaded to an .msi. The source folder will differ depending on where you downloaded the file. See the following example: +2. Extract the .exe file that you downloaded to a .msi. The source folder will differ depending on where you downloaded the file. See the following example: ```powershell Set-Location C:\Users\administrator.CONTOSO\Downloads @@ -64,7 +65,7 @@ On **CM01**: Add the "OSD Install" suffix to the application name -11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this is another place to view properties, you can also right-click and select properties). +11. In the **Applications** node, select the Adobe Reader - OSD Install application, and click **Properties** on the ribbon bar (this path is another place to view properties, you can also right-click and select properties). 12. On the **General Information** tab, select the **Allow this application to be installed from the Install Application task sequence action without being deployed** check box, and click **OK**. Next, see [Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md). diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md index 55d9928a01..253e63190e 100644 --- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Deploy Windows 10 using PXE and Configuration Manager (Windows 10) -description: In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +description: In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. +ms.assetid: fb93f514-5b30-4f4b-99dc-58e6860009fa manager: dougeby ms.author: aaroncz ms.prod: w10 @@ -16,9 +17,9 @@ ms.collection: highpri - Windows 10 -In this topic, you will learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. +In this topic, you'll learn how to deploy Windows 10 using Microsoft Endpoint Manager deployment packages and task sequences. This topic will walk you through the process of deploying the Windows 10 Enterprise image to a Unified Extensible Firmware Interface (UEFI) computer named PC0001. An existing Configuration Manager infrastructure that is integrated with MDT is used for the procedures in this topic. -This topic assumes that you have completed the following prerequisite procedures: +This topic assumes that you've completed the following prerequisite procedures: - [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md) - [Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - [Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) @@ -27,10 +28,10 @@ This topic assumes that you have completed the following prerequisite procedures - [Create a task sequence with Configuration Manager and MDT](create-a-task-sequence-with-configuration-manager-and-mdt.md) - [Finalize the operating system configuration for Windows 10 deployment with Configuration Manager](finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md) -For the purposes of this guide, we will use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). +For the purposes of this guide, we'll use a minimum of two server computers (DC01 and CM01) and one client computer (PC0001). - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. Note: DHCP services are required for the client (PC0001) to connect to the Windows Deployment Service (WDS). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. - - CM01 is also running WDS which will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. + - CM01 is also running WDS that will be required to start PC0001 via PXE. **Note**: Ensure that only CM01 is running WDS. - PC0001 is a client computer that is blank, or has an operating system that will be erased and replaced with Windows 10. The device must be configured to boot from the network. >[!NOTE] @@ -38,7 +39,7 @@ For the purposes of this guide, we will use a minimum of two server computers (D All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This connection isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!NOTE] >No WDS console configuration is required for PXE to work. Everything is done with the Configuration Manager console. @@ -50,7 +51,7 @@ All server and client computers referenced in this guide are on the same subnet. 3. On the **Select a task sequence to run** page, select **Windows 10 Enterprise x64 RTM** and click **Next**. 4. On the **Edit Task Sequence Variables** page, double-click the **OSDComputerName** variable, and in the **Value** field, type **PC0001** and click **OK**. Then click **Next**. 5. The operating system deployment will take several minutes to complete. -6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following: +6. You can monitor the deployment on CM01 using the MDT Deployment Workbench. When you see the PC0001 entry, double-click **PC0001**, and then click **DaRT Remote Control** and review the **Remote Control** option. The task sequence will run and do the following steps: * Install the Windows 10 operating system. * Install the Configuration Manager client and the client hotfix. @@ -64,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet. Monitoring the deployment with MDT. -7. When the deployment is finished you will have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. +7. When the deployment is finished you'll have a domain-joined Windows 10 computer with the Adobe Reader application installed as well as the applications that were included in the reference image, such as Office 365 Pro Plus. Examples are provided below of various stages of deployment: diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md index 15ccee4085..3984e65a9b 100644 --- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md @@ -19,8 +19,8 @@ ms.custom: seo-marvel-apr2020 This topic walks you through the steps to finalize the configuration of your Windows 10 operating deployment, which includes enabling optional MDT monitoring for Configuration Manager, logs folder settings, rules configuration, content distribution, and deployment of the previously created task sequence. -For the purposes of this guide, we will use one server computer: CM01. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. +For the purposes of this guide, we'll use one server computer: CM01. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). @@ -45,11 +45,11 @@ On **CM01**: ## Configure the Logs folder -The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we will add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. +The D:\Logs folder was [created previously](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md?#review-the-sources-folder-structure) and SMB permissions were added. Next, we'll add NTFS folder permissions for the Configuration Manager Network Access Account (CM_NAA), and enable server-side logging by modifying the CustomSettings.ini file used by the Configuration Manager task sequence. On **CM01**: -1. To configure NTFS permissions using icacls.exe, type the following at an elevated Windows PowerShell prompt: +1. To configure NTFS permissions using icacls.exe, type the following command at an elevated Windows PowerShell prompt: ``` icacls D:\Logs /grant '"CM_NAA":(OI)(CI)(M)' @@ -82,17 +82,17 @@ On **CM01**: 3. In the Configuration Manager console, update the distribution point for the **Windows 10 x64 Settings** package by right-clicking the **Windows 10 x64 Settings** package and selecting **Update Distribution Points**. Click **OK** in the popup dialog box. >[!NOTE] - >Although you have not yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. + >Although you haven't yet added a distribution point, you still need to select Update Distribution Points. This process also updates the Configuration Manager content library with changes. ## Distribute content to the CM01 distribution portal -In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that have not yet been distributed to the CM01 distribution point. +In Configuration Manager, you can distribute all packages needed by a task sequence in a single task. In this section, you distribute packages that haven't yet been distributed to the CM01 distribution point. On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems** and select **Task Sequences**. Right-click the **Windows 10 Enterprise x64 RTM** task sequence, and select **Distribute Content**. 2. In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard. -3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully. +3. Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Don't continue until you see all the new packages being distributed successfully. ![Content status.](../images/cm01-content-status1.png) @@ -100,7 +100,7 @@ On **CM01**: ## Create a deployment for the task sequence -This sections provides steps to help you create a deployment for the task sequence. +This section provides steps to help you create a deployment for the task sequence. On **CM01**: @@ -126,7 +126,7 @@ On **CM01**: ## Configure Configuration Manager to prompt for the computer name during deployment (optional) -You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more details on how to do this, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). +You can have Configuration Manager prompt you for a computer name or you can use rules to generate a computer name. For more information on how to do this step, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md). This section provides steps to help you configure the All Unknown Computers collection to have Configuration Manager prompt for computer names. diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md index 840f69546c..785a68cc3d 100644 --- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md @@ -20,7 +20,7 @@ This article walks you through the Zero Touch Installation (ZTI) process of Wind ## Prerequisites -In this article, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: +In this topic, you'll use [components](#components-of-configuration-manager-operating-system-deployment) of an existing Configuration Manager infrastructure to prepare for Windows 10 OSD. In addition to the base setup, the following configurations should be made in the Configuration Manager environment: - Configuration Manager current branch + all security and critical updates are installed. @@ -32,19 +32,18 @@ In this article, you'll use [components](#components-of-configuration-manager-op - The Configuration Manager [reporting services](/mem/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured. - A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure). - The [Windows ADK](/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed. -- The [CMTrace tool](/mem/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. - - > [!NOTE] - > CMTrace is automatically installed with the current branch of Configuration Manager. +- The [CMTrace tool](/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point. + > [!NOTE] + > CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr, it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this separate installation is no longer needed. Configuration Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool. For the purposes of this guide, we'll use three server computers: DC01, CM01 and HV01. - DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server. -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - HV01 is a Hyper-V host computer that is used to build a Windows 10 reference image. This computer doesn't need to be a domain member. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This configuration isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ### Domain credentials @@ -57,13 +56,13 @@ The following generic credentials are used in this guide. You should replace the ## Create the OU structure >[!NOTE] ->If you have already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. +>If you've already [created the OU structure](../deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md#create-the-ou-structure) that was used in the OSD guide for MDT, the same structure is used here and you can skip this section. On **DC01**: To create the OU structure, you can use the Active Directory Users and Computers console (dsa.msc), or you can use Windows PowerShell. The procedure below uses Windows PowerShell. -To use Windows PowerShell, copy the following commands into a text file and save it as **C:\Setup\Scripts\ou.ps1**. Be sure that you're viewing file extensions and that you save the file with the `.ps1` extension. +To use Windows PowerShell, copy the following commands into a text file and save it as C:\Setup\Scripts\ou.ps1. Ensure that you're viewing file extensions and that you save the file with the .ps1 extension. ```powershell $oulist = Import-csv -Path c:\oulist.txt @@ -123,11 +122,11 @@ On **DC01**: ## Configure Active Directory permissions -In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://github.com/DeploymentArtist/SWP1/tree/master/Scripts) and copied it to C:\\Setup\\Scripts on DC01. +In order for the Configuration Manager Join Domain Account (CM\_JD) to join machines into the contoso.com domain, you need to configure permissions in Active Directory. These steps assume you've downloaded the sample [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copied it to C:\\Setup\\Scripts on DC01. On **DC01**: -1. Sign in as contoso\administrator and enter the following at an elevated Windows PowerShell prompt: +1. Sign in as contoso\administrator and enter the following commands at an elevated Windows PowerShell prompt: ```powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force @@ -135,7 +134,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account CM_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` -2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following is a list of the permissions being granted: +2. The Set-OUPermissions.ps1 script allows the CM\_JD user account permissions to manage computer accounts in the Contoso / Computers / Workstations OU. The following list is that of permissions being granted: * Scope: This object and all descendant objects * Create Computer objects @@ -174,7 +173,7 @@ To support the packages you create in this article, the following folder structu You can run the following commands from an elevated Windows PowerShell prompt to create this folder structure: ->We will also create the D:\Logs folder here which will be used later to support server-side logging. +>We'll also create the D:\Logs folder here which will be used later to support server-side logging. ```powershell New-Item -ItemType Directory -Path "D:\Sources" @@ -196,7 +195,7 @@ New-SmbShare -Name Logs$ -Path D:\Logs -ChangeAccess EVERYONE ## Integrate Configuration Manager with MDT -To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you have already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. +To extend the Configuration Manager console with MDT wizards and templates, install MDT with the default settings and run the **Configure ConfigManager Integration** desktop app. In these steps, we assume you've already [downloaded MDT](https://www.microsoft.com/download/details.aspx?id=54259) and installed it with default settings. On **CM01**: @@ -264,7 +263,7 @@ On **CM01**: Configure the CM01 distribution point for PXE. >[!NOTE] - >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS will not be installed, or if it is already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder does not support multicast. For more information, see [Install and configure distribution points](/mem/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). + >If you select **Enable a PXE responder without Windows Deployment Service**, then WDS won't be installed, or if it's already installed it will be suspended, and the **ConfigMgr PXE Responder Service** (SccmPxe) will be used instead of WDS. The ConfigMgr PXE Responder doesn't support multicast. For more information, see [Install and configure distribution points](/configmgr/core/servers/deploy/configure/install-and-configure-distribution-points#bkmk_config-pxe). 4. Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines. @@ -272,7 +271,7 @@ On **CM01**: The distmgr.log displays a successful configuration of PXE on the distribution point. -5. Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. +5. Verify that you've seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**. ![figure 14.](../images/mdt-06-fig15.png) @@ -284,18 +283,17 @@ Next, see [Create a custom Windows PE boot image with Configuration Manager](cre ## Components of Configuration Manager operating system deployment -Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are other components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. +Operating system deployment with Configuration Manager is part of the normal software distribution infrastructure, but there are more components. For example, operating system deployment in Configuration Manager may use the State Migration Point role, which isn't used by normal application deployment in Configuration Manager. This section describes the Configuration Manager components involved with the deployment of an operating system, such as Windows 10. - **State migration point (SMP).** The state migration point is used to store user state migration data during computer replace scenarios. - **Distribution point (DP).** The distribution point is used to store all packages in Configuration Manager, including the operating system deployment-related packages. - **Software update point (SUP).** The software update point, which is normally used to deploy updates to existing machines, also can be used to update an operating system as part of the deployment process. You also can use offline servicing to update the image directly on the Configuration Manager server. - **Reporting services point.** The reporting services point can be used to monitor the operating system deployment process. - **Boot images.** Boot images are the Windows Preinstallation Environment (Windows PE) images Configuration Manager uses to start the deployment. -- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This is typically the production deployment image. +- **Operating system images.** The operating system image package contains only one file, the custom .wim image. This image is typically the production deployment image. - **Operating system installers.** The operating system installers were originally added to create reference images using Configuration Manager. Instead, we recommend that you use MDT Lite Touch to create your reference images. For more information on how to create a reference image, see [Create a Windows 10 reference image](../deploy-windows-mdt/create-a-windows-10-reference-image.md). - **Drivers.** Like MDT Lite Touch, Configuration Manager also provides a repository (catalog) of managed device drivers. -- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides extra task sequence templates to Configuration Manager. - +- **Task sequences.** The task sequences in Configuration Manager look and feel much like the sequences in MDT Lite Touch, and they're used for the same purpose. However, in Configuration Manager, the task sequence is delivered to the clients as a policy via the Management Point (MP). MDT provides more task sequence templates to Configuration Manager. > [!NOTE] > The Windows Assessment and Deployment Kit (ADK) for Windows 10 is also required to support management and deployment of Windows 10. @@ -303,12 +301,17 @@ Operating system deployment with Configuration Manager is part of the normal sof As noted above, MDT adds many enhancements to Configuration Manager. While these enhancements are called Zero Touch, that name doesn't reflect how deployment is conducted. The following sections provide a few samples of the 280 enhancements that MDT adds to Configuration Manager. +>[!NOTE] +>MDT installation requires the following: +>- The Windows ADK for Windows 10 (installed in the previous procedure) +>- Windows PowerShell ([version 5.1](https://www.microsoft.com/download/details.aspx?id=54616) is recommended; type **$host** to check) +>- Microsoft .NET Framework + ### MDT enables dynamic deployment -When MDT is integrated with Configuration Manager, the task sequence takes other instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have a script or web services provide the settings used. +When MDT is integrated with Configuration Manager, the task sequence takes more instructions from the MDT rules. In its most simple form, these settings are stored in a text file, the CustomSettings.ini file, but you can store the settings in Microsoft SQL Server databases, or have Microsoft Visual Basic Scripting Edition (VBScripts) or web services provide the settings used. The task sequence uses instructions that allow you to reduce the number of task sequences in Configuration Manager and instead store settings outside the task sequence. Here are a few examples: - - The following settings instruct the task sequence to install the HP Hotkeys package, but only if the hardware is an HP EliteBook 8570w. You don't have to add the package to the task sequence. ``` syntax @@ -349,7 +352,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script ### MDT adds real-time monitoring -With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. +With MDT integration, you can follow your deployments in real time, and if you've access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information. ![figure 4.](../images/mdt-06-fig04.png) @@ -370,25 +373,18 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons: - You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more. -- Configuration Manager performs deployment in the LocalSystem context. This means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. +- Configuration Manager performs deployment in the LocalSystem context, which means that you can't configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment. - The Configuration Manager task sequence doesn't suppress user interface interaction. - MDT Lite Touch supports a Suspend action that allows for reboots, which is useful when you need to perform a manual installation or check the reference image before it's automatically captured. - MDT Lite Touch doesn't require any infrastructure and is easy to delegate. -## Related articles - -[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md) - -[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md) - -[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md) - -[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md) - -[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md) - -[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md) - -[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md) +## Related topics +[Create a custom Windows PE boot image with Configuration Manager](create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
                            +[Add a Windows 10 operating system image using Configuration Manager](add-a-windows-10-operating-system-image-using-configuration-manager.md)
                            +[Create an application to deploy with Windows 10 using Configuration Manager](create-an-application-to-deploy-with-windows-10-using-configuration-manager.md)
                            +[Add drivers to a Windows 10 deployment with Windows PE using Configuration Manager](add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md)
                            +[Create a task sequence with Configuration Manager and MDT](./create-a-task-sequence-with-configuration-manager-and-mdt.md)
                            +[Deploy Windows 10 using PXE and Configuration Manager](deploy-windows-10-using-pxe-and-configuration-manager.md)
                            +[Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md)
                            [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md) diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md index 117dedd018..41822baf59 100644 --- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh is not the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refesh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). +This topic will show you how to refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager and Microsoft Deployment Toolkit (MDT). A computer refresh isn't the same as an in-place upgrade. A computer refresh involves storing user data and settings from the old installation, wiping the hard drives, installing a new OS, and then restoring the user data at the end of the installation. Also see the MDT refresh procedure: [Refresh a Windows 7 computer with Windows 10](../deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md). A computer refresh with Configuration Manager works the same as it does with MDT Lite Touch installation. Configuration Manager also uses the User State Migration Tool (USMT) from the Windows Assessment and Deployment Kit (Windows ADK) 10 in the background. A computer refresh with Configuration Manager has the following steps: @@ -31,8 +31,8 @@ A computer refresh with Configuration Manager works the same as it does with MDT An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computer (PC0003). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0003). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0003 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be refreshed to Windows 10. >[!NOTE] @@ -40,7 +40,7 @@ For the purposes of this article, we will use one server computer (CM01) and one All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -76,7 +76,7 @@ On **CM01**: Use the default settings to complete the remaining wizard pages and click **Close**. -2. Review the Install Windows 10 Enterprise x64 collection. Do not continue until you see the PC0003 machine in the collection. +2. Review the Install Windows 10 Enterprise x64 collection. Don't continue until you see the PC0003 machine in the collection. >[!NOTE] >It may take a short while for the collection to refresh; you can view progress via the Colleval.log file. If you want to speed up the process, you can manually update membership on the Install Windows 10 Enterprise x64 collection by right-clicking the collection and selecting Update Membership. @@ -94,7 +94,7 @@ Using the Configuration Manager console, in the Software Library workspace, expa - Make available to the following: Configuration Manager clients, media and PXE >[!NOTE] - >It is not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. + >It's not necessary to make the deployment available to media and Pre-Boot Execution Environment (PXE) for a computer refresh, but you will use the same deployment for bare-metal deployments later on and you will need it at that point. - Scheduling - <default> diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md index 242bcd70ee..4d0bcca63b 100644 --- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md @@ -1,6 +1,7 @@ --- title: Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager -description: In this topic, you will learn how to replacing a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +description: In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. +ms.assetid: 3c8a2d53-8f08-475f-923a-bca79ca8ac36 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -17,16 +18,16 @@ ms.custom: seo-marvel-apr2020 - Windows 10 -In this topic, you will learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you are replacing the device, you have to run the backup job separately from the deployment of Windows 10. +In this topic, you'll learn how to replace a Windows 7 SP1 computer using Microsoft Endpoint Configuration Manager. This process is similar to refreshing a computer, but since you're replacing the device, you have to run the backup job separately from the deployment of Windows 10. -In this topic, you will create a backup-only task sequence that you run on PC0004 (the device you are replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). +In this topic, you'll create a backup-only task sequence that you run on PC0004 (the device you're replacing), deploy the PC0006 computer running Windows 10, and then restore this backup of PC0004 onto PC006. This process is similar to the MDT replace process: [Replace a Windows 7 computer with a Windows 10 computer](../deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md). ## Infrastructure An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and two client computers (PC0004, PC0006). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and two client computers (PC0004, PC0006). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - Important: CM01 must include the **[State migration point](/configmgr/osd/get-started/manage-user-state#BKMK_StateMigrationPoint)** role for the replace task sequence used in this article to work. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be replaced. - PC0006 is a domain member client computer running Windows 10, with the Configuration Manager client installed, that will replace PC0004. @@ -36,7 +37,7 @@ For the purposes of this article, we will use one server computer (CM01) and two All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. >[!IMPORTANT] >This article assumes that you have [configured Active Directory permissions](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md#configure-active-directory-permissions) in the specified OU for the **CM_JD** account, and the client's Active Directory computer account is in the **Contoso > Computers > Workstations** OU. Use the Active Directory Users and Computers console to review the location of computer objects and move them if needed. @@ -70,15 +71,15 @@ The backup-only task sequence (named Replace Task Sequence). ## Associate the new device with the old computer -This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for the purpose of replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. +This section walks you through the process of associating a new, blank device (PC0006), with an existing computer (PC0004), for replacing PC0004 with PC0006. PC0006 can be either a physical or virtual machine. On **HV01** (if PC0006 is a VM) or in the PC0006 BIOS: -1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Do not attempt to PXE boot PC0006 yet. +1. Make a note of the MAC address for PC0006. (If PC0006 is a virtual machine, you can see the MAC Address in the virtual machine settings.) In our example, the PC0006 MAC Address is 00:15:5D:0A:6A:96. Don't attempt to PXE boot PC0006 yet. On **CM01**: -2. Using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. +2. When you're using the Configuration Manager console, in the Assets and Compliance workspace, right-click **Devices**, and then click **Import Computer Information**. 3. On the **Select Source** page, select **Import single computer** and click **Next**. 4. On the **Single Computer** page, use the following settings and then click **Next**: @@ -95,14 +96,14 @@ On **CM01**: 7. On the **Choose additional collections** page, click **Add** and then select the **Install Windows 10 Enterprise x64** collection. Now, select the checkbox next to the Install Windows 10 Enterprise x64 collection you just added, and then click **Next**. 8. On the **Summary** page, click **Next**, and then click **Close**. 9. Select the **User State Migration** node and review the computer association in the right hand pane. -10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. Note that a recovery key has been assigned already, but a user state store location has not. -11. Review the **Install Windows 10 Enterprise x64** collection. Do not continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. +10. Right-click the **PC0004/PC0006** association and click **View Recovery Information**. A recovery key has been assigned already, but a user state store location hasn't. +11. Review the **Install Windows 10 Enterprise x64** collection. Don't continue until you see the **PC0006** computer in the collection. You might have to update membership and refresh the collection again. ## Create a device collection and add the PC0004 computer On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: * General * Name: USMT Backup (Replace) @@ -117,7 +118,7 @@ On **CM01**: Use default settings for the remaining wizard pages, then click **Close**. -2. Review the **USMT Backup (Replace)** collection. Do not continue until you see the **PC0004** computer in the collection. +2. Review the **USMT Backup (Replace)** collection. Don't continue until you see the **PC0004** computer in the collection. ## Create a new deployment @@ -145,7 +146,7 @@ This section assumes that you have a computer named PC0004 with the Configuratio On **PC0004**: -1. If it is not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). +1. If it's not already started, start the PC0004 computer and open the Configuration Manager control panel (control smscfgrc). 2. On the **Actions** tab, select **Machine Policy Retrieval & Evaluation Cycle**, click **Run Now**, and then click **OK** in the popup dialog box that appears. >[!NOTE] @@ -161,8 +162,8 @@ Capturing the user state On **CM01**: -6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a sub-folder was created containing the USMT backup. -7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. Note that the object now also has a user state store location. +6. Open the state migration point storage folder (ex: D:\Migdata) and verify that a subfolder was created containing the USMT backup. +7. Using the Configuration Manager console, in the Assets and Compliance workspace, select the **User State Migration** node, right-click the **PC0004/PC0006** association, and select **View Recovery Information**. The object now also has a user state store location. >[!NOTE] >It may take a few minutes for the user state store location to be populated. @@ -176,7 +177,7 @@ On **PC0006**: * Password: pass@word1 * Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM -2. The setup now starts and does the following: +2. The setup now starts and does the following steps: * Installs the Windows 10 operating system * Installs the Configuration Manager client @@ -184,7 +185,7 @@ On **PC0006**: * Installs the applications * Restores the PC0004 backup -When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: +When the process is complete, you'll have a new Windows 10 computer in your domain with user data and settings restored. See the following examples: ![User data and setting restored example 1.](../images/pc0006a.png)
                            ![User data and setting restored example 2.](../images/pc0006b.png)
                            diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md index dd7097e837..5d6a936a26 100644 --- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md +++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuration-manager.md @@ -27,28 +27,28 @@ The simplest path to upgrade PCs currently running Windows 7, Windows 8, or Wi An existing Configuration Manager infrastructure that is integrated with MDT is used for the following procedures. For more information about the setup for this article, see [Prepare for Zero Touch Installation of Windows 10 with Configuration Manager](prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md). -For the purposes of this article, we will use one server computer (CM01) and one client computers (PC0004). -- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. +For the purposes of this article, we'll use one server computer (CM01) and one client computer (PC0004). +- CM01 is a domain member server and Configuration Manager software distribution point. In this guide, CM01 is a standalone primary site server. - PC0004 is a domain member client computer running Windows 7 SP1, or a later version of Windows, with the Configuration Manager client installed, that will be upgraded to Windows 10. All servers are running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used. -All server and client computers referenced in this guide are on the same subnet. This is not required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. +All server and client computers referenced in this guide are on the same subnet. This interrelation isn't required, but each server and client computer must be able to connect to each other to share files, and to resolve all DNS names and Active Directory information for the contoso.com domain. Internet connectivity is also required to download OS and application updates. ## Add an OS upgrade package -Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it does not use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). +Configuration Manager Current Branch includes a native in-place upgrade task. This task sequence differs from the MDT in-place upgrade task sequence in that it doesn't use a default OS image, but rather uses an [OS upgrade package](/configmgr/osd/get-started/manage-operating-system-upgrade-packages). On **CM01**: 1. Using the Configuration Manager console, in the Software Library workspace, expand **Operating Systems**, right-click **Operating System Upgrade Packages**, and click **Add Operating System Upgrade Package**. -2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we have extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. -3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we have chosen **Windows 10 Enterprise**. +2. On the **Data Source** page, under **Path**, click **Browse** and enter the UNC path to your media source. In this example, we've extracted the Windows 10 installation media to **\\\\cm01\\Sources$\\OSD\\UpgradePackages\\Windows 10**. +3. If you have multiple image indexes in the installation media, select **Extract a specific image index from install.wim...** and choose the image index you want from the dropdown menu. In this example, we've chosen **Windows 10 Enterprise**. 4. Next to **Architecture**, select **x64**, choose a language from the dropdown menu next to **Language**, and then click **Next**. 5. Next to **Name**, enter **Windows 10 x64 RTM** and then complete the wizard by clicking **Next** and **Close**. 6. Distribute the OS upgrade package to the CM01 distribution point by right-clicking the **Windows 10 x64 RTM** OS upgrade package and then clicking **Distribute Content**. 7. In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**. -8. View the content status for the Windows 10 x64 RTM upgrade package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. +8. View the content status for the Windows 10 x64 RTM upgrade package. Don't continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line. ## Create an in-place upgrade task sequence @@ -77,7 +77,7 @@ After you create the upgrade task sequence, you can create a collection to test On **CM01**: -1. Using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: +1. When you're using the Configuration Manager console, in the Asset and Compliance workspace, right-click **Device Collections**, and then select **Create Device Collection**. Use the following settings: - General - Name: Windows 10 x64 in-place upgrade - Limited Collection: All Systems @@ -89,7 +89,7 @@ On **CM01**: - Select Resources - Select PC0004 -2. Review the Windows 10 x64 in-place upgrade collection. Do not continue until you see PC0004 in the collection. +2. Review the Windows 10 x64 in-place upgrade collection. Don't continue until you see PC0004 in the collection. ## Deploy the Windows 10 upgrade diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 3300697ddc..619447fac2 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,7 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) -description: In this topic, you will learn how to replicate your Windows 10 deployment shares to facilitate the deployment of Windows 10 in remote or branch locations. + [!NOTE] > Robocopy has options that allow for synchronization between folders. It has a simple reporting function; it supports transmission retry; and, by default, it will only copy/remove files from the source that are newer than files on the target. @@ -40,7 +41,7 @@ LDS is a built-in feature in MDT for replicating content. However, LDS works bes ### Why DFS-R is a better option -DFS-R is not only very fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. +DFS-R isn't only fast and reliable, but it also offers central monitoring, bandwidth control, and a great delta replication engine. DFS-R will work equally well whether you have 2 sites or 90. When using DFS-R for MDT, we recommend running your deployment servers on Windows Server 2008 R2 or higher. From that version on, you can configure the replication targets as read-only, which is exactly what you want for MDT. This way, you can have your master deployment share centralized and replicate out changes as they happen. DFS-R will quickly pick up changes at the central deployment share in MDT01 and replicate the delta changes to MDT02. ## Set up Distributed File System Replication (DFS-R) for replication @@ -113,7 +114,7 @@ When you have multiple deployment servers sharing the same content, you need to On **MDT01**: -1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (i.e. server) to use. +1. Using Notepad, navigate to the **D:\\MDTProduction\\Control** folder and modify the Boostrap.ini file as follows. Under [DefaultGateway] enter the IP addresses for the client's default gateway in New York and Stockholm, respectively (replace 10.10.10.1 and 10.10.20.1 with your default gateways). The default gateway setting is what tells the client which deployment share (that is, server) to use. ```ini [Settings] @@ -152,7 +153,7 @@ On **MDT01**: ## Replicate the content - Once the MDT01 and MDT02 servers are prepared, you are ready to configure the actual replication. + Once the MDT01 and MDT02 servers are prepared, you're ready to configure the actual replication. ### Create the replication group @@ -247,7 +248,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image 2. Computer Name: PC0006 3. Applications: Select the Install - Adobe Reader -4. Setup will now start and perform the following: +4. Setup will now start and perform the following steps: 1. Install the Windows 10 Enterprise operating system. 2. Install applications. 3. Update the operating system using your local Windows Server Update Services (WSUS) server. diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md index 078bb06ca8..fe96dcd42b 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-deployment-share-rules.md @@ -12,7 +12,7 @@ ms.topic: article # Configure MDT deployment share rules -In this topic, you will learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. +In this topic, you'll learn how to configure the MDT rules engine to reach out to other resources, including external scripts, databases, and web services, for additional information instead of storing settings directly in the rules engine. The rules engine in MDT is powerful: most of the settings used for operating system deployments are retrieved and assigned via the rules engine. In its simplest form, the rules engine is the CustomSettings.ini text file. ## Assign settings @@ -29,7 +29,7 @@ Before adding the more advanced components like scripts, databases, and web serv ### Set computer name by MAC Address -If you have a small test environment, or simply want to assign settings to a very limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. +If you have a small test environment, or simply want to assign settings to a limited number of machines, you can edit the rules to assign settings directly for a given MAC Address. If you have many machines, it makes sense to use the database instead. ``` [Settings] @@ -90,7 +90,7 @@ In the preceding sample, you still configure the rules to set the computer name ### Add laptops to a different organizational unit (OU) in Active Directory -In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you are deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType is not a reserved word; rather, it is the name of the section to read. +In the rules, you find built-in properties that use a Windows Management Instrumentation (WMI) query to determine whether the machine you're deploying is a laptop, desktop, or server. In this sample, we assume you want to add laptops to different OUs in Active Directory. Note that ByLaptopType isn't a reserved word; rather, it's the name of the section to read. ``` [Settings] diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md index c4bbe93743..8c0ba8179d 100644 --- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md +++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md @@ -1,6 +1,7 @@ --- title: Configure MDT settings (Windows 10) -description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. +description: One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. +ms.assetid: d3e1280c-3d1b-4fad-8ac4-b65dc711f122 ms.reviewer: manager: dougeby ms.author: aaroncz @@ -12,8 +13,8 @@ ms.topic: article # Configure MDT settings -One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. -For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). +One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there's virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment. +For the purposes of this topic, we'll use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more information on the setup for this topic, see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md). ![figure 1.](../images/mdt-09-fig01.png) diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md index e9d1c48603..1f482f177d 100644 --- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md +++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md @@ -15,12 +15,12 @@ ms.topic: article **Applies to** - Windows 10 -Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you will learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You will create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you will have a Windows 10 reference image that can be used in your deployment solution. +Creating a reference image is important because that image serves as the foundation for the devices in your organization. In this topic, you 'll learn how to create a Windows 10 reference image using the Microsoft Deployment Toolkit (MDT). You 'll create a deployment share, configure rules and settings, and import all the applications and operating system files required to build a Windows 10 reference image. After completing the steps outlined in this topic, you 'll have a Windows 10 reference image that can be used in your deployment solution. >[!NOTE] ->See [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md) for more information about the server, client, and network infrastructure used in this guide. +>For more information about the server, client, and network infrastructure used in this guide, see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md). -For the purposes of this topic, we will use three computers: DC01, MDT01, and HV01. +For the purposes of this topic, we'll use three computers: DC01, MDT01, and HV01. - DC01 is a domain controller for the contoso.com domain. - MDT01 is a contoso.com domain member server. - HV01 is a Hyper-V server that will be used to build the reference image. @@ -31,22 +31,22 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV ## The reference image -The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are the following: +The reference image described in this guide is designed primarily for deployment to physical devices. However, the reference image is typically created on a virtual platform, before being automatically run through the System Preparation (Sysprep) tool process and captured to a Windows Imaging (WIM) file. The reasons for creating the reference image on a virtual platform are: - To reduce development time and can use snapshots to test different configurations quickly. -- To rule out hardware issues. You simply get the best possible image, and if you have a problem, it's not likely to be hardware related. -- To ensures that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. +- To rule out hardware issues. You get the best possible image, and if you've a problem, it's not likely to be hardware related. +- To ensure that you won't have unwanted applications that could be installed as part of a driver install but not removed by the Sysprep process. - The image is easy to move between lab, test, and production. ## Set up the MDT build lab deployment share -With Windows 10, there is no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications as well as all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. +With Windows 10, there's no hard requirement to create reference images. However, to reduce the time needed for deployment, you might want to create a reference image that contains a few base applications and all of the latest updates. This section will show you how to create and configure the MDT Build Lab deployment share to create a Windows 10 reference image. Because reference images will be deployed only to virtual machines during the creation process and have specific settings (rules), you should always create a separate deployment share specifically for this process. ### Create the MDT build lab deployment share On **MDT01**: - Sign in as contoso\\administrator using a password of pass@word1 (credentials from the [prepare for deployment](prepare-for-windows-deployment-with-mdt.md) topic). -- Start the MDT deployment workbench, and pin this to the taskbar for easy access. +- Start the MDT deployment workbench, and pin this workbench to the taskbar for easy access. - Using the Deployment Workbench, right-click **Deployment Shares** and select **New Deployment Share**. - Use the following settings for the New Deployment Share Wizard: - Deployment share path: **D:\\MDTBuildLab** @@ -70,7 +70,7 @@ In order to read files in the deployment share and write the reference image bac On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTBuildLab** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -84,7 +84,7 @@ This section will show you how to populate the MDT deployment share with the Win ### Add the Windows 10 installation files -MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you have created. In this case, you create a reference image, so you add the full source setup files from Microsoft. +MDT supports adding both full source Windows 10 DVDs (ISOs) and custom images that you've created. In this case, you create a reference image, so you add the full source setup files from Microsoft. >[!NOTE] >Due to the Windows limits on path length, we are purposely keeping the operating system destination directory short, using the folder name W10EX64RTM rather than a more descriptive name like Windows 10 Enterprise x64 RTM. @@ -129,9 +129,9 @@ The steps in this section use a strict naming standard for your MDT applications Using a script naming standard is always recommended when using MDT as it helps maintain order and consistency. -By storing configuration items as MDT applications, it is easy to move these objects between various solutions, or between test and production environments. +By storing configuration items as MDT applications, it's easy to move these objects between various solutions, or between test and production environments. -In example sections, you will add the following applications: +In example sections, you 'll add the following applications: - Install - Microsoft Office 365 Pro Plus - x64 - Install - Microsoft Visual C++ Redistributable 2019 - x86 @@ -146,7 +146,7 @@ Download links: Download all three items in this list to the D:\\Downloads folder on MDT01. -**Note**: For the purposes of this lab, we will leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). +**Note**: For the purposes of this lab, we'll leave the MSVC files in the D:\\Downloads folder and the Office365 files will be extracted to a child folder. If you prefer, you can place each application in its own separate child folder and then modify the $ApplicationSourcePath below as needed (instead of just D:\\Downloads). >[!NOTE] >All the Microsoft Visual C++ downloads can be found on [The latest supported Visual C++ downloads](https://go.microsoft.com/fwlink/p/?LinkId=619523). Visual C++ 2015, 2017 and 2019 all share the same redistributable files. @@ -157,7 +157,9 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. 2. Using a text editor (such as Notepad), create an XML file in the D:\\Downloads\\Office365 directory with the installation settings for Microsoft 365 Apps for enterprise that are appropriate for your organization. The file uses an XML format, so the file you create must have an extension of .xml but the file can have any filename. For example, you can use the following configuration.xml file, which provides these configuration settings: - - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. Note: 64-bit is now the default and recommended edition. + - Install the 64-bit version of Microsoft 365 Apps for enterprise in English directly from the Office Content Delivery Network (CDN) on the internet. + > [!NOTE] + > 64-bit is now the default and recommended edition. - Use the General Availability Channel and get updates directly from the Office CDN on the internet. - Perform a silent installation. You won’t see anything that shows the progress of the installation and you won’t see any error messages. @@ -173,27 +175,27 @@ Download all three items in this list to the D:\\Downloads folder on MDT01. ``` - By using these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. + When you use these settings, any time you build the reference image you’ll be installing the most up-to-date General Availability Channel version of Microsoft 365 Apps for enterprise. >[!TIP] >You can also use the web-based interface of the [Office Customization Tool](https://config.office.com/) to help you create your configuration.xml file. - Also see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool) for more information. + For more information, see [Configuration options for the Office Deployment Tool](/deployoffice/configuration-options-for-the-office-2016-deployment-tool) and [Overview of the Office Deployment Tool](/DeployOffice/overview-of-the-office-2016-deployment-tool). 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder: ![folder.](../images/office-folder.png) - Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet. + Assuming you've named the file "configuration.xml" as shown above, we'll use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This command execution will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Don't perform this step yet. >[!IMPORTANT] - >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you are prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. + >After Microsoft 365 Apps for enterprise is installed on the reference image, do NOT open any Office programs. if you open an Office program, you're prompted to sign-in, which activates the installation of Microsoft 365 Apps for enterprise. Even if you don't sign in and you close the Sign in to set up Office dialog box, a temporary product key is installed. You don't want any kind of product key for Microsoft 365 Apps for enterprise installed as part of your reference image. Additional information -- Microsoft 365 Apps for enterprise is usually updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. +- Microsoft 365 Apps for enterprise is updated on a monthly basis with security updates and other quality updates (bug fixes), and possibly new features (depending on which update channel you’re using). That means that once you’ve deployed your reference image, Microsoft 365 Apps for enterprise will most likely need to download and install the latest updates that have been released since you created your reference image. -- **Note**: By using installing Office Deployment Tool as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) - - When you are creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. +- **Note**: With the installing Office Deployment Tool being used as part of the reference image, Microsoft 365 Apps for enterprise is installed immediately after the reference image is deployed to the user’s device, rather than including Office apps part of the reference image. This way the user will have the most up-to-date version of Microsoft 365 Apps for enterprise right away and won’t have to download any new updates (which is most likely what would happen if Microsoft 365 Apps for enterprise was installed as part of the reference image.) + - When you're creating your reference image, instead of installing Microsoft 365 Apps for enterprise directly from the Office CDN on the internet, you can install Microsoft 365 Apps for enterprise from a location on your local network, such as a file share. To do that, you would use the Office Deployment Tool in /download mode to download the installation files to that file share. Then you could use the Office Deployment Tool in /configure mode to install Microsoft 365 Apps for enterprise from that location on to your reference image. As part of that process, you’ll need to point to that location in your configuration.xml file so that the Office Deployment Tool knows where to get the Microsoft 365 Apps for enterprise files. If you decide to do this step, the next time you create a new reference image, you’ll want to be sure to use the Office Deployment Tool to download the most up-to-date installation files for Microsoft 365 Apps for enterprise to that location on your internal network. That way your new reference image will have a more up-to-date installation of Microsoft 365 Apps for enterprise. ### Connect to the deployment share using Windows PowerShell @@ -201,7 +203,7 @@ If you need to add many applications, you can take advantage of the PowerShell s On **MDT01**: -1. Ensure you are signed in as **contoso\\Administrator**. +1. Ensure you're signed in as **contoso\\Administrator**. 2. Import the snap-in and create the PSDrive by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -213,11 +215,11 @@ On **MDT01**: ### Create the install: Microsoft Office 365 Pro Plus - x64 -In these steps we assume that you have downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. +In these steps, we assume that you've downloaded the Office Deployment Tool. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads\\Office365. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -227,7 +229,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -246,11 +248,11 @@ On **MDT01**: >[!NOTE] >We have abbreviated "Microsoft Visual C++ Redistributable" in the $ApplicationName below as "MSVC" to avoid the path name exceeding the maxiumum allowed length of 248 characters. -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x86. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -260,7 +262,7 @@ On **MDT01**: Import-MDTApplication -Path "DS001:\Applications\Microsoft" -Enable "True" -Name $ApplicationName -ShortName $ApplicationName -CommandLine $CommandLine -WorkingDirectory ".\Applications\$ApplicationName" -ApplicationSourcePath $ApplicationSourcePath -DestinationFolder $ApplicationName -Verbose ``` - Upon successful installation the following text is displayed: + Upon successful installation, the following text is displayed: ``` VERBOSE: Performing the operation "import" on target "Application". VERBOSE: Beginning application import @@ -275,11 +277,11 @@ On **MDT01**: ### Create the install: Microsoft Visual C++ Redistributable 2019 - x64 -In these steps we assume that you have downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. +In these steps, we assume that you've downloaded Microsoft Visual C++ Redistributable 2019 - x64. You might need to modify the path to the source folder to reflect your current environment. In this example, the source path is set to D:\\Downloads. On **MDT01**: -1. Ensure you are signed on as **contoso\\Administrator**. +1. Ensure you're signed on as **contoso\\Administrator**. 2. Create the application by running the following commands in an elevated PowerShell prompt: ``` powershell @@ -291,8 +293,8 @@ On **MDT01**: ## Create the reference image task sequence -In order to build and capture your Windows 10 reference image for deployment using MDT, you will create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. -After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you are deploying. +In order to build and capture your Windows 10 reference image for deployment using MDT, you 'll create a task sequence. The task sequence will reference the operating system and applications that you previously imported into the MDT Build Lab deployment share to build a Windows 10 reference image. +After creating the task sequence, you configure it to enable patching against the Windows Server Update Services (WSUS) server. The Task Sequence Windows Update action supports getting updates directly from Microsoft Update, but you get more stable patching if you use a local WSUS server. WSUS also allows for an easy process of approving the patches that you're deploying. ### Drivers and the reference image @@ -304,18 +306,18 @@ To create a Windows 10 reference image task sequence, the process is as follows On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab** right-click **Task Sequences**, and create a **New Folder** named **Windows 10**. 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard: 1. Task sequence ID: REFW10X64-001 2. Task sequence name: Windows 10 Enterprise x64 RTM Default Image 3. Task sequence comments: Reference Build 4. Template: Standard Client Task Sequence 5. Select OS: Windows 10 Enterprise x64 RTM Default Image - 6. Specify Product Key: Do not specify a product key at this time + 6. Specify Product Key: Don't specify a product key at this time 7. Full Name: Contoso 8. Organization: Contoso 9. Internet Explorer home page: http://www.contoso.com - 10. Admin Password: Do not specify an Administrator Password at this time + 10. Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -338,7 +340,7 @@ On **MDT01**: 3. Select the roles and features that should be installed: .NET Framework 3.5 (includes .NET 2.0 and 3.0) >[!IMPORTANT] - >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. + >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It's installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed. ![task sequence.](../images/fig8-cust-tasks.png) @@ -355,7 +357,7 @@ On **MDT01**: ### Optional configuration: Add a suspend action -The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. +The goal when creating a reference image is to automate everything. But sometimes you've a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine. ![figure 8.](../images/fig8-suspend.png) @@ -367,20 +369,20 @@ The goal when creating a reference image is of course to automate everything. Bu ### Edit the Unattend.xml file for Windows 10 Enterprise -When using MDT, you don't need to edit the Unattend.xml file very often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml for this. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you will want to use the Internet Explorer Administration Kit (IEAK). +When using MDT, you don't need to edit the Unattend.xml file often because most configurations are taken care of by MDT. However if, for example, you want to configure Internet Explorer behavior, then you can edit the Unattend.xml. Editing the Unattend.xml for basic Internet Explorer settings is easy, but for more advanced settings, you 'll want to use the Internet Explorer Administration Kit (IEAK). >[!WARNING] ->Do not use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. +>Don't use **SkipMachineOOBE** or **SkipUserOOBE** in your Unattend.xml file. These settings are deprecated and can have unintended effects if used. >[!NOTE] ->You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you are adding packages via Unattend.xml, it is version specific, so Unattend.xml must match the exact version of the operating system you are servicing. +>You also can use the Unattend.xml to enable components in Windows 10, like the Telnet Client or Hyper-V client. Normally we prefer to do this via the **Install Roles and Features** action, or using Deployment Image Servicing and Management (DISM) command-line tools, because then we can add that as an application, being dynamic, having conditions, and so forth. Also, if you're adding packages via Unattend.xml, it's version specific, so Unattend.xml must match the exact version of the operating system you're servicing. Follow these steps to configure Internet Explorer settings in Unattend.xml for the Windows 10 Enterprise x64 RTM Default Image task sequence: On **MDT01**: -1. Using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. -2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. +1. When you're using the Deployment Workbench, under **Deployment Shares > MDT Build Lab > Task Sequences** right-click the **Windows 10 Enterprise x64 RTM Default Image** task sequence and select **Properties**. +2. In the **OS Info** tab, click **Edit Unattend.xml**. MDT now generates a catalog file. This file generation process will take a few minutes, and then Windows System Image Manager (Windows SIM) will start. > [!IMPORTANT] > The ADK version 1903 has a [known issue](/windows-hardware/get-started/what-s-new-in-kits-and-tools#whats-new-in-the-windows-adk-for-windows-10-version-1903) generating a catalog file for Windows 10, version 1903 or 1909 X64 install.wim. You might see the error "Could not load file or assembly" in in the console output. To avoid this issue, [install the ADK, version 2004 or a later version](/windows-hardware/get-started/adk-install). A workaround is also available for the ADK version 1903: @@ -393,7 +395,8 @@ On **MDT01**: 4. In the **amd64\_Microsoft-Windows-IE-InternetExplorer\_neutral properties** window (right-hand window), set the following values: - DisableDevTools: true 5. Save the Unattend.xml file, and close Windows SIM. - - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. + > [!NOTE] + > If errors are reported that certain display values are incorrect, you can ignore this message or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1. 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**. ![figure 10.](../images/fig10-unattend.png) @@ -413,7 +416,7 @@ To configure the rules for the MDT Build Lab deployment share: On **MDT01**: 1. Using the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Properties**. -2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you do not have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: +2. Select the **Rules** tab and replace the existing content with the following information (edit the settings as needed to match your deployment). For example, If you don't have a WSUS server in your environment, delete the **WSUSServer** line from the configuration: ``` [Settings] @@ -469,7 +472,7 @@ On **MDT01**: ``` >[!NOTE] - >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it is acceptable to do so in this situation. Obviously if you are not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. + >For security reasons, you normally don't add the password to the Bootstrap.ini file; however, because this deployment share is for creating reference image builds only, and should not be published to the production network, it's acceptable to do so in this situation. Obviously if you're not using the same password (pass@word3) that is provided in this lab, you must enter your own custom password on the Rules tab and in Bootstrap.ini. 4. On the **Windows PE** tab, in the **Platform** drop-down list, select **x86**. 5. In the **Lite Touch Boot Image Settings** area, configure the following settings: @@ -486,7 +489,7 @@ On **MDT01**: ### Update the deployment share -After the deployment share has been configured, it needs to be updated. This is the process when the Windows PE boot images are created. +After the deployment share has been configured, it needs to be updated. This update-process is the one when the Windows PE boot images are created. 1. In the Deployment Workbench, right-click the **MDT Build Lab** deployment share and select **Update Deployment Share**. 2. Use the default options for the Update Deployment Share Wizard. @@ -496,9 +499,9 @@ After the deployment share has been configured, it needs to be updated. This is ### The rules explained -Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it is time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. +Now that the MDT Build Lab deployment share (the share used to create the reference images) has been configured, it's time to explain the various settings used in the Bootstrap.ini and CustomSettings.ini files. -The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide just enough information for MDT to find the CustomSettings.ini. +The Bootstrap.ini and CustomSettings.ini files work together. The Bootstrap.ini file is always present on the boot image and is read first. The basic purpose for Bootstrap.ini is to provide enough information for MDT to find the CustomSettings.ini. The CustomSettings.ini file is normally stored on the server, in the Deployment share\\Control folder, but also can be stored on the media (when using offline media). @@ -521,14 +524,14 @@ SkipBDDWelcome=YES ``` So, what are these settings? -- **Priority.** This determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. -- **DeployRoot.** This is the location of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. -- **UserDomain, UserID, and UserPassword.** These values are used for automatic log on to the deployment share. Again, if they are not specified, the wizard prompts you. +- **Priority.** This setting determines the order in which different sections are read. This Bootstrap.ini has only one section, named \[Default\]. +- **DeployRoot.** This location is of the deployment share. Normally, this value is set by MDT, but you need to update the DeployRoot value if you move to another server or other share. If you don't specify a value, the Windows Deployment Wizard prompts you for a location. +- **UserDomain, UserID, and UserPassword.** These values are used for automatic sign in to the deployment share. Again, if they aren't specified, the wizard prompts you. >[!WARNING] >Caution is advised. These values are stored in clear text on the boot image. Use them only for the MDT Build Lab deployment share and not for the MDT Production deployment share that you learn to create in the next topic. -- **SkipBDDWelcome.** Even if it is nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. +- **SkipBDDWelcome.** Even if it's nice to be welcomed every time we start a deployment, we prefer to skip the initial welcome page of the Windows Deployment Wizard. >[!NOTE] >All properties beginning with "Skip" control only whether to display that pane in the Windows Deployment Wizard. Most of the panes also require you to actually set one or more values. @@ -569,20 +572,20 @@ SkipRoles=YES SkipCapture=NO SkipFinalSummary=YES ``` -- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you have multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. +- **Priority.** Has the same function as in Bootstrap.ini. Priority determines the order in which different sections are read. This CustomSettings.ini has only one section, named \[Default\]. In general, if you've multiple sections that set the same value, the value from the first section (higher priority) wins. The rare exceptions are listed in the ZTIGather.xml file. - **\_SMSTSORGNAME.** The organization name displayed in the task sequence progress bar window during deployment. -- **UserDataLocation.** Controls the settings for user state backup. You do not need to use when building and capturing a reference image. +- **UserDataLocation.** Controls the settings for user state backup. You don't need to use when building and capturing a reference image. - **DoCapture.** Configures the task sequence to run the System Preparation (Sysprep) tool and capture the image to a file when the operating system is installed. -- **OSInstall.** Must be set to Y or YES (the code actually just looks for the Y character) for the setup to proceed. +- **OSInstall.** Must be set to Y or YES (the code just looks for the Y character) for the setup to proceed. - **AdminPassword.** Sets the local Administrator account password. - **TimeZoneName.** Establishes the time zone to use. Don't confuse this value with TimeZone, which is only for legacy operating systems (Windows 7 and Windows Server 2003). **Note**: The easiest way to find the current time zone name on a Windows 10 machine is to run tzutil /g in a command prompt. You can also run tzutil /l to get a listing of all available time zone names. - **JoinWorkgroup.** Configures Windows to join a workgroup. -- **HideShell.** Hides the Windows Shell during deployment. This is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. +- **HideShell.** Hides the Windows Shell during deployment. This hide-operation is especially useful for Windows 10 deployments in which the deployment wizard will otherwise appear behind the tiles. - **FinishAction.** Instructs MDT what to do when the task sequence is complete. -- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There is no need to do this for your reference image. +- **DoNotCreateExtraPartition.** Configures the task sequence not to create the extra partition for BitLocker. There's no need to do this configuration for your reference image. - **WSUSServer.** Specifies which Windows Server Update Services (WSUS) server (and port, if needed) to use during the deployment. Without this option MDT will use Microsoft Update directly, which will increase deployment time and limit your options of controlling which updates are applied. - **SLSHARE.** Instructs MDT to copy the log files to a server share if something goes wrong during deployment, or when a deployment is successfully completed. - **ApplyGPOPack.** Allows you to deploy local group policies created by Microsoft Security Compliance Manager (SCM). @@ -602,9 +605,9 @@ SkipFinalSummary=YES ## Build the Windows 10 reference image -As previously described, this section requires a Hyper-V host. See [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements) for more information. +As previously described, this section requires a Hyper-V host. For more information, see [Hyper-V requirements](prepare-for-windows-deployment-with-mdt.md#hyper-v-requirements). -Once you have created your task sequence, you are ready to create the Windows 10 reference image. This will be performed by launching the task sequence from a virtual machine which will then automatically perform the reference image creation and capture process. +Once you've created your task sequence, you're ready to create the Windows 10 reference image. This image creation will be performed by launching the task sequence from a virtual machine that will then automatically perform the reference image creation and capture process. The steps below outline the process used to boot a virtual machine using an ISO boot image created by MDT, and then run the reference image task sequence image to create and capture the Windows 10 reference image. @@ -628,7 +631,7 @@ On **HV01**: 4. Start the REFW10X64-001 virtual machine and connect to it. - **Note**: Up to this point we have not discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario this is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. + **Note**: Up to this point we haven't discussed IP addressing or DHCP. In the initial setup for this guide, DC01 was provisioned as a DHCP server to provide IP address leases to client computers. You might have a different DHCP server on your network that you wish to use. The REFW10X64-001 virtual machine requires an IP address lease that provides it with connectivity to MDT01 so that it can connect to the \\MDT01\MDTBuildLab$ share. In the current scenario, this connectivity is accomplished with a DHCP scope that provides IP addresses in the 10.10.10.100 - 10.10.10.200 range, as part of a /24 subnet so that the client can connect to MDT01 at 10.10.10.11. After booting into Windows PE, complete the Windows Deployment Wizard with the following settings: 1. Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Default Image @@ -640,7 +643,7 @@ On **HV01**: The Windows Deployment Wizard for the Windows 10 reference image. -5. The setup now starts and does the following: +5. The setup now starts and does the following steps: 1. Installs the Windows 10 Enterprise operating system. 2. Installs the added applications, roles, and features. 3. Updates the operating system via your local Windows Server Update Services (WSUS) server. @@ -649,7 +652,7 @@ On **HV01**: 6. Captures the installation to a Windows Imaging (WIM) file. 7. Turns off the virtual machine. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ![image.](../images/image-captured.png) @@ -662,9 +665,9 @@ If you [enabled monitoring](#enable-monitoring), you can check the progress of t ![monitoring.](../images/mdt-monitoring.png) -If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. +If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log. From the command line in Windows PE, you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$. -After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. +After some time, you 'll have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim. ## Related topics diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 25eddbf4ef..90deeb5238 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -15,16 +15,16 @@ ms.topic: article **Applies to** - Windows 10 -This topic will show you how to take your reference image for Windows 10 (that was just [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). +This topic will show you how to take your reference image for Windows 10 (that was [created](create-a-windows-10-reference-image.md)), and deploy that image to your environment using the Microsoft Deployment Toolkit (MDT). -We will prepare for this by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We will configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. +We'll prepare for this deployment by creating an MDT deployment share that is used solely for image deployment. Separating the processes of creating reference images from the processes used to deploy them in production allows greater control of on both processes. We'll configure Active Directory permissions, configure the deployment share, create a new task sequence, and add applications, drivers, and rules. -For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 and PC0005. +For the purposes of this topic, we'll use four computers: DC01, MDT01, HV01 and PC0005. - DC01 is a domain controller - MDT01 is a domain member server - HV01 is a Hyper-V server -- PC0005 is a blank device to which we will deploy Windows 10 +- PC0005 is a blank device to which we'll deploy Windows 10 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation. HV01 used to test deployment of PC0005 in a virtual environment. @@ -35,7 +35,7 @@ MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contos ## Step 1: Configure Active Directory permissions -These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you have The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. +These steps will show you how to configure an Active Directory account with the permissions required to deploy a Windows 10 machine to the domain using MDT. These steps assume you've The account is used for Windows Preinstallation Environment (Windows PE) to connect to MDT01. In order for MDT to join machines into the contoso.com domain you need to create an account and configure permissions in Active Directory. On **DC01**: @@ -55,7 +55,7 @@ On **DC01**: .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso" ``` - The following is a list of the permissions being granted: + The following list is of the permissions being granted: - Scope: This object and all descendant objects - Create Computer objects @@ -72,7 +72,7 @@ On **DC01**: ## Step 2: Set up the MDT production deployment share -Next, create a new MDT deployment share. You should not use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. +Next, create a new MDT deployment share. You shouldn't use the same deployment share that you used to create the reference image for a production deployment. Perform this procedure on the MDT01 server. ### Create the MDT production deployment share @@ -80,7 +80,7 @@ On **MDT01**: The steps for creating the deployment share for production are the same as when you created the deployment share for creating the custom reference image: -1. Ensure you are signed on as: contoso\administrator. +1. Ensure you're signed on as: contoso\administrator. 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**. 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**. @@ -97,7 +97,7 @@ To read files in the deployment share, you need to assign NTFS and SMB permissio On **MDT01**: -1. Ensure you are signed in as **contoso\\administrator**. +1. Ensure you're signed in as **contoso\\administrator**. 2. Modify the NTFS permissions for the **D:\\MDTProduction** folder by running the following command in an elevated Windows PowerShell prompt: ``` powershell @@ -107,11 +107,11 @@ On **MDT01**: ## Step 3: Add a custom image -The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores additional components in the Sources\\SxS folder which is outside the image and may be required when installing components. +The next step is to add a reference image into the deployment share with the setup files required to successfully deploy Windows 10. When adding a custom image, you still need to copy setup files (an option in the wizard) because Windows 10 stores other components in the Sources\\SxS folder that is outside the image and may be required when installing components. ### Add the Windows 10 Enterprise x64 RTM custom image -In these steps, we assume that you have completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you have a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. +In these steps, we assume that you've completed the steps in the [Create a Windows 10 reference image](create-a-windows-10-reference-image.md) topic, so you've a Windows 10 reference image at **D:\\MDTBuildLab\\Captures\REFW10X64-001.wim** on MDT01. 1. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**. 2. Right-click the **Windows 10** folder and select **Import Operating System**. @@ -139,8 +139,8 @@ When you configure your MDT Build Lab deployment share, you can also add applica On **MDT01**: -1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2200120142_en_US.exe) to **D:\\setup\\adobe** on MDT01. -2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC2200120142_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). +1. Download the Enterprise distribution version of [Adobe Acrobat Reader DC](https://get.adobe.com/reader/enterprise/) (AcroRdrDC2100520060_en_US.exe) to **D:\\setup\\adobe** on MDT01. +2. Extract the .exe file that you downloaded to a .msi (ex: .\AcroRdrDC2100520060_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne). 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node. 4. Right-click the **Applications** node, and create a new folder named **Adobe**. @@ -175,12 +175,12 @@ For boot images, you need to have storage and network drivers; for the operating ### Create the driver source structure in the file system -The key to successful management of drivers for MDT, as well as for any other deployment solution, is to have a really good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. +The key to successful management of drivers for MDT, and for any other deployment solution, is to have a good driver repository. From this repository, you import drivers into MDT for deployment, but you should always maintain the repository for future use. On **MDT01**: > [!IMPORTANT] -> In the steps below, it is critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. +> In the steps below, it's critical that the folder names used for various computer makes and models exactly match the results of **wmic computersystem get model,manufacturer** on the target system. 1. Using File Explorer, create the **D:\\drivers** folder. 2. In the **D:\\drivers** folder, create the following folder structure: @@ -198,11 +198,11 @@ On **MDT01**: - Surface Laptop > [!NOTE] -> Even if you are not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. +> Even if you're not going to use both x86 and x64 boot images, we still recommend that you add the support structure for future use. ### Create the logical driver structure in MDT -When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This is done by creating logical folders in the Deployment Workbench. +When you import drivers to the MDT driver repository, MDT creates a single instance folder structure based on driver class names. However, you can, and should, mimic the driver structure of your driver source repository in the Deployment Workbench. This mimic is done by creating logical folders in the Deployment Workbench. 1. On MDT01, using Deployment Workbench, select the **Out-of-Box Drivers** node. 2. In the **Out-Of-Box Drivers** node, create the following folder structure: 1. WinPE x86 @@ -260,7 +260,7 @@ On **MDT01**: ### Extract and import drivers for the x64 boot image -Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require additional drivers. In this example, you add the latest Intel network drivers to the x64 boot image. +Windows PE supports all the hardware models that we have, but here you learn to add boot image drivers to accommodate any new hardware that might require more drivers. In this example, you add the latest Intel network drivers to the x64 boot image. On **MDT01**: @@ -282,7 +282,7 @@ For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retrieve To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543). -In this example, we assume you have downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. +In this example, we assume you've downloaded and extracted the drivers using ThinkVantage Update Retriever to the **D:\\Drivers\\Lenovo\\ThinkStation P500 (30A6003TUS)** directory. On **MDT01**: @@ -292,13 +292,13 @@ On **MDT01**: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)** - The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers. + The folder you select and all subfolders will be checked for drivers, expanding any .cab files that are present and searching for drivers. ### For the Latitude E7450 For the Dell Latitude E7450 model, you use the Dell Driver CAB file, which is accessible via the [Dell TechCenter website](https://go.microsoft.com/fwlink/p/?LinkId=619544). -In these steps, we assume you have downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. +In these steps, we assume you've downloaded and extracted the CAB file for the Latitude E7450 model to the **D:\\Drivers\\Dell Inc.\\Latitude E7450** folder. On **MDT01**: @@ -312,7 +312,7 @@ On **MDT01**: For the HP EliteBook 8560w, you use HP Image Assistant to get the drivers. The HP Image Assistant can be accessed on the [HP Support site](https://ftp.ext.hp.com/pub/caps-softpaq/cmit/HPIA.html). -In these steps, we assume you have downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. +In these steps, we assume you've downloaded and extracted the drivers for the HP EliteBook 8650w model to the **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder. On **MDT01**: @@ -324,7 +324,7 @@ On **MDT01**: ### For the Microsoft Surface Laptop -For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps we assume you have downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. +For the Microsoft Surface Laptop model, you find the drivers on the Microsoft website. In these steps, we assume you've downloaded and extracted the Surface Laptop drivers to the **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop** folder. On **MDT01**: @@ -336,7 +336,7 @@ On **MDT01**: ## Step 6: Create the deployment task sequence -This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You will then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. +This section will show you how to create the task sequence used to deploy your production Windows 10 reference image. You'll then configure the task sequence to enable patching via a Windows Server Update Services (WSUS) server. ### Create a task sequence for Windows 10 Enterprise @@ -350,11 +350,11 @@ On **MDT01**: - Task sequence comments: Production Image - Template: Standard Client Task Sequence - Select OS: Windows 10 Enterprise x64 RTM Custom Image - - Specify Product Key: Do not specify a product key at this time + - Specify Product Key: Don't specify a product key at this time - Full Name: Contoso - Organization: Contoso - Internet Explorer home page: `https://www.contoso.com` - - Admin Password: Do not specify an Administrator Password at this time + - Admin Password: Don't specify an Administrator Password at this time ### Edit the Windows 10 task sequence @@ -372,7 +372,7 @@ On **MDT01**: - Install all drivers from the selection profile > [!NOTE] - > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. + > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT shouldn't use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting. 3. State Restore. Enable the **Windows Update (Pre-Application Installation)** action. @@ -386,7 +386,7 @@ On **MDT01**: ## Step 7: Configure the MDT production deployment share -In this section, you will learn how to configure the MDT Build Lab deployment share with the rules required to create a simple and dynamic deployment process. This includes configuring commonly used rules and an explanation of how these rules work. +In this section, you'll learn how to configure the MDT Build Lab deployment share with the rules required to create a dynamic deployment process. This configuration includes commonly used rules and an explanation of how these rules work. ### Configure the rules @@ -460,7 +460,7 @@ On **MDT01**: > [!NOTE] > - > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests. + > Because you're going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you don't need the ISO file; however, we recommend creating ISO files because they're useful when troubleshooting deployments and for quick tests. 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option. @@ -488,13 +488,13 @@ On **MDT01**: ### The rules explained -The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. +The rules for the MDT Production deployment share are different from those rules for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup. -You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example we are skipping the welcome screen and providing credentials. +You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address. In this example, we're skipping the welcome screen and providing credentials. ### The Bootstrap.ini file -This is the MDT Production Bootstrap.ini: +This file is the MDT Production Bootstrap.ini: ``` [Settings] @@ -510,7 +510,7 @@ SkipBDDWelcome=YES ### The CustomSettings.ini file -This is the CustomSettings.ini file with the new join domain information: +This file is the CustomSettings.ini file with the new join domain information: ``` [Settings] @@ -557,7 +557,7 @@ Some properties to use in the MDT Production rules file are as follows: - **DomainAdminPassword.** The password for the join domain account. - **MachineObjectOU.** The organizational unit (OU) to which to add the computer account. - **ScanStateArgs.** Arguments for the User State Migration Tool (USMT) ScanState command. -- **USMTMigFiles(\*).** List of USMT templates (controlling what to backup and restore). +- **USMTMigFiles(\*).** List of USMT templates (controlling what to back up and restore). - **EventService.** Activates logging information to the MDT monitoring web service. > [!NOTE] @@ -568,11 +568,11 @@ Some properties to use in the MDT Production rules file are as follows: ### Optional deployment share configuration -If your organization has a Microsoft Software Assurance agreement, you also can subscribe to the additional Microsoft Desktop Optimization Package (MDOP) license (at an additional cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, as well as troubleshoot Windows itself. +If your organization has a Microsoft Software Assurance agreement, you also can subscribe to another Microsoft Desktop Optimization Package (MDOP) license (at an extra cost). Included in MDOP is Microsoft Diagnostics and Recovery Toolkit (DaRT), which contains tools that can help you troubleshoot MDT deployments, and troubleshoot Windows itself. ### Add DaRT 10 to the boot images -If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following: +If you've licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you don't have DaRT licensing, or don't want to use it, skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following steps: > [!NOTE] @@ -608,7 +608,7 @@ On **MDT01**: ### Update the deployment share -Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created. +Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This update-process is the one during which the Windows PE boot images are created. 1. Right-click the **MDT Production** deployment share and select **Update Deployment Share**. @@ -639,7 +639,7 @@ On **MDT01**: ### Deploy the Windows 10 client -At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you are confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. This helps rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: +At this point, you should have a solution ready for deploying the Windows 10 client. We recommend starting by trying a few deployments at a time until you're confident that your configuration works as expected. We find it useful to try some initial tests on virtual machines before testing on physical hardware. These tests help rule out hardware issues when testing or troubleshooting. Here are the steps to deploy your Windows 10 image to a virtual machine: On **HV01**: @@ -665,7 +665,7 @@ On **HV01**: - Computer Name: **PC0005** - Applications: Select the **Install - Adobe Reader** checkbox. -4. Setup now begins and does the following: +4. Setup now begins and does the following steps: - Installs the Windows 10 Enterprise operating system. - Installs the added application. @@ -681,7 +681,7 @@ Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed auto ### Use the MDT monitoring feature -Since you have enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. +Since you've enabled the monitoring on the MDT Production deployment share, you can follow your deployment of PC0005 via the monitoring node. On **MDT01**: @@ -705,12 +705,11 @@ The Event Viewer showing a successful deployment of PC0005. ## Multicast deployments -Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it is important to ensure that your network supports it and is designed for it. If you have a limited number of simultaneous deployments, you probably do not need to enable multicast. +Multicast deployment allows for image deployment with reduced network load during simultaneous deployments. Multicast is a useful operating system deployment feature in MDT deployments, however it's important to ensure that your network supports it and is designed for it. If you've a limited number of simultaneous deployments, you probably don't need to enable multicast. ### Requirements -Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this means involving the organization networking team to make sure that -Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. +Multicast requires that Windows Deployment Services (WDS) is running on Windows Server 2008 or later. In addition to the core MDT setup for multicast, the network needs to be configured to support multicast. In general, this configuration means involvement of the organization networking team to ensure that Internet Group Management Protocol (IGMP) snooping is turned on and that the network is designed for multicast traffic. The multicast solution uses IGMPv3. ### Set up MDT for multicast @@ -729,9 +728,9 @@ On **MDT01**: ## Use offline media to deploy Windows 10 -In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can very easily generate an offline version of your deployment share - either the full deployment share or a subset of it - through the use of selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. +In addition to network-based deployments, MDT supports the use of offline media-based deployments of Windows 10. You can easily generate an offline version of your deployment share - either the full deployment share or a subset of it - by using selection profiles. The generated offline media can be burned to a DVD or copied to a USB stick for deployment. -Offline media are useful not only when you do not have network connectivity to the deployment share, but also when you have limited connection to the deployment share and do not want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. +Offline media are useful not only when you don't have network connectivity to the deployment share, but also when you've limited connection to the deployment share and don't want to copy 5 GB of data over the wire. Offline media can still join the domain, but you save the transfer of operating system images, drivers, and applications over the wire. ### Create the offline media selection profile @@ -762,7 +761,7 @@ In these steps, you generate offline media from the MDT Production deployment sh 1. On MDT01, using File Explorer, create the **D:\\MDTOfflineMedia** folder. >[!NOTE] - >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media. + >When creating offline media, you need to create the target folder first. It's crucial that you don't create a subfolder inside the deployment share folder because it will break the offline media. 2. In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**. @@ -798,7 +797,7 @@ On **MDT01**: ### Generate the offline media -You have now configured the offline media deployment share, however the share has not yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. +You've now configured the offline media deployment share, however the share hasn't yet been populated with the files required for deployment. Now everything is ready you populate the deployment share content folder and generate the offline media ISO. On **MDT01**: @@ -808,7 +807,7 @@ On **MDT01**: ### Create a bootable USB stick -The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) +The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it's often more efficient to use USB sticks instead since they're faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.) >[!TIP] >In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM:
                             
                            Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800.
                             
                            Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm.
                             
                            To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`True`), so this must be changed and the offline media content updated. @@ -821,7 +820,7 @@ Follow these steps to create a bootable USB stick from the offline media content 3. Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**. -4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. +4. In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F. 5. In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter). @@ -829,7 +828,7 @@ Follow these steps to create a bootable USB stick from the offline media content ## Unified Extensible Firmware Interface (UEFI)-based deployments -As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI. +As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you've an UEFI-based machine and creates the partitions UEFI requires. You don't need to update or change your task sequences in any way to accommodate UEFI. ![figure 14.](../images/mdt-07-fig16.png) diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md index d5a9a7653a..9667f4a047 100644 --- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md +++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md @@ -21,23 +21,23 @@ This article provides an overview of the features, components, and capabilities MDT is a unified collection of tools, processes, and guidance for automating desktop and server deployment. You can use it to create reference images or as a complete deployment solution. MDT is one of the most important tools available to IT professionals today. -In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with additional guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. +In addition to reducing deployment time and standardizing desktop and server images, MDT enables you to more easily manage security and ongoing configurations. MDT builds on top of the core deployment tools in the [Windows Assessment and Deployment Kit](/windows-hardware/get-started/adk-install) (Windows ADK) with more guidance and features designed to reduce the complexity and time required for deployment in an enterprise environment. -MDT supports the deployment of Windows 10, as well as Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). +MDT supports the deployment of Windows 10, and Windows 7, Windows 8.1, and Windows Server. It also includes support for zero-touch installation (ZTI) with [Microsoft Endpoint Configuration Manager](/configmgr/). > [!IMPORTANT] > For more information about MDT supported platforms, see [MDT Release Notes](/mem/configmgr/mdt/release-notes#supported-platforms) and [MDT FAQ](/mem/configmgr/mdt/faq#is-this-release-only-supported-with-version--x--of-windows-client--windows-adk--or-configuration-manager-). ## Key features in MDT -MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it is considered fundamental to Windows operating system and enterprise application deployment. +MDT has been in existence since 2003, when it was first introduced as Business Desktop Deployment (BDD) 1.0. The toolkit has evolved, both in functionality and popularity, and today it's considered fundamental to Windows operating system and enterprise application deployment. MDT has many useful features, such as: - **Windows Client support.** Supports Windows 7, Windows 8.1, and Windows 10. - **Windows Server support.** Supports Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, and Windows Server 2019. -- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), as well as Windows 8.1 Embedded Industry. +- **Additional operating systems support.** Supports Windows Thin PC and [Windows Embedded POSReady 7](https://www.microsoft.com/en-us/download/details.aspx?id=26558), and Windows 8.1 Embedded Industry. - **UEFI support.** Supports deployment to machines using Unified Extensible Firmware Interface (UEFI) version 2.3.1. -- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI. +- **GPT support.** Supports deployment to machines that require the new GPT partition table format. This feature is related to UEFI. - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts. ![figure 2.](../images/mdt-05-fig02.png) @@ -48,7 +48,7 @@ MDT has many useful features, such as: - **Automated participation in CEIP and WER.** Provides configuration for participation in Windows Customer Experience Improvement Program (CEIP) and Windows Error Reporting (WER). - **Deploy Windows RE.** Enables deployment of a customized Windows Recovery Environment (Windows RE) as part of the task sequence. - **Deploy to VHD.** Provides ready-made task sequence templates for deploying Windows into a virtual hard disk (VHD) file. -- **Improved deployment wizard.** Provides additional progress information and a cleaner UI for the Lite Touch Deployment Wizard. +- **Improved deployment wizard.** Provides more progress information and a cleaner UI for the Lite Touch Deployment Wizard. - **Monitoring.** Allows you to see the status of currently running deployments. - **Apply GPO Pack.** Allows you to deploy local group policy objects created by Microsoft Security Compliance Manager (SCM). - **Partitioning routines.** Provides improved partitioning routines to ensure that deployments work regardless of the current hard drive structure. @@ -65,21 +65,21 @@ MDT has many useful features, such as: - **Support for Microsoft Office.** Provides added support for deploying Microsoft Office. - **Support for Modern UI app package provisioning.** Provisions applications based on the new Windows app package standard, which is used in Windows 8 and later. - **Extensibility.** Provides the capability to extend MDT far beyond the built-in features by adding custom scripts, web services, System Center Orchestrator runbooks, PowerShell scripts, and VBScripts. -- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, refer to the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). +- **Upgrade task sequence.** Provides a new upgrade task sequence template that you can use to upgrade existing Windows 7, Windows 8, and Windows 8.1 systems directly to Windows 10, automatically preserving all data, settings, applications, and drivers. For more information about using this new upgrade task sequence, see the [Microsoft Deployment Toolkit resource page](/mem/configmgr/mdt/). ## MDT Lite Touch components -Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires very little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disc. +Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An LTI deployment strategy requires little infrastructure or user interaction, and can be used to deploy an operating system from a network share or from a physical media, such as a USB flash drive or disk. -When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command. +When the Windows operating system is being deployed using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click **View Script**. You're provided the PowerShell command. ![figure 4.](../images/mdt-05-fig04.png) -If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task. +If you click **View Script** on the right side, you'll get the PowerShell code that was used to perform the task. ## Deployment shares -A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get additional settings for the deployment. For Lite Touch deployments, it is common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it is common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. +A deployment share is essentially a folder on the server that is shared and contains all the setup files and scripts needed for the deployment solution. It also holds the configuration files (called rules) that are gathered when a machine is deployed. These configuration files can reach out to other sources, like a database, external script, or web server to get more settings for the deployment. For Lite Touch deployments, it's common to have two deployment shares: one for creating the reference images and one for deployment. For Zero Touch, it's common to have only the deployment share for creating reference images because Configuration Manager deploys the image in the production environment. ## Rules @@ -92,7 +92,7 @@ You can manage hundreds of settings in the rules. For more information, see the ![figure 5.](../images/mdt-05-fig05.png) -Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number +Example of an MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number ## Boot images @@ -101,7 +101,7 @@ share on the server and start the deployment. ## Operating systems -Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you have created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. +Using the Deployment Workbench, you import the operating systems you want to deploy. You can import either the full source (like the full Windows 10 DVD/ISO) or a custom image that you've created. The full-source operating systems are primarily used to create reference images; however, they also can be used for normal deployments. ## Applications @@ -113,7 +113,7 @@ You also use the Deployment Workbench to import the drivers your hardware needs ## Packages -With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that are not available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. +With the Deployment Workbench, you can add any Microsoft packages that you want to use. The most commonly added packages are language packs, and the Deployment Workbench Packages node works well for those packages. You also can add security and other updates this way. However, we generally recommend that you use Windows Server Update Services (WSUS) for operating system updates. The rare exceptions are critical hotfixes that aren't available via WSUS, packages for the boot image, or any other package that needs to be deployed before the WSUS update process starts. ## Task sequences @@ -128,17 +128,18 @@ You can think of a task sequence as a list of actions that need to be executed i ## Task sequence templates -MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they will be available when you create a new task sequence. +MDT comes with nine default task sequence templates. You can also create your own templates. As long as you store them in the Templates folder, they'll be available when you create a new task sequence. - **Sysprep and Capture task sequence.** Used to run the System Preparation (Sysprep) tool and capture an image of a reference computer. - **Note**: It is preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture cannot. + > [!NOTE] + > It's preferable to use a complete build and capture instead of the Sysprep and Capture task sequence. A complete build and capture can be automated, whereas Sysprep and Capture can't. - **Standard Client task sequence.** The most frequently used task sequence. Used for creating reference images and for deploying clients in production. - **Standard Client Replace task sequence.** Used to run User State Migration Tool (USMT) backup and the optional full Windows Imaging (WIM) backup action. Can also be used to do a secure wipe of a machine that is going to be decommissioned. - **Custom task sequence.** As the name implies, a custom task sequence with only one default action (one Install Application action). -- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it does not contain any USMT actions because USMT is not supported on servers. +- **Standard Server task sequence.** The default task sequence for deploying operating system images to servers. The main difference between this template and the Standard Client task sequence template is that it doesn't contain any USMT actions because USMT isn't supported on servers. - **Lite Touch OEM task sequence.** Used to preload operating systems images on the computer hard drive. Typically used by computer original equipment manufacturers (OEMs) but some enterprise organizations also use this feature. -- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Very useful for server deployments but not often used for client deployments. +- **Post OS Installation task sequence.** A task sequence prepared to run actions after the operating system has been deployed. Useful for server deployments but not often used for client deployments. - **Deploy to VHD Client task sequence.** Similar to the Standard Client task sequence template but also creates a virtual hard disk (VHD) file on the target computer and deploys the image to the VHD file. - **Deploy to VHD Server task sequence.** Same as the Deploy to VHD Client task sequence but for servers. - **Standard Client Upgrade task sequence.** A simple task sequence template used to perform an in-place upgrade from Windows 7, Windows 8, or Windows 8.1 directly to Windows 10, automatically preserving existing data, settings, applications, and drivers. @@ -161,7 +162,7 @@ The easiest way to view log files is to use Configuration Manager Trace (CMTrace ## Monitoring -On the deployment share, you also can enable monitoring. After you enable monitoring, you will see all running deployments in the Monitor node in the Deployment Workbench. +On the deployment share, you also can enable monitoring. After you enable monitoring, you'll see all running deployments in the Monitor node in the Deployment Workbench. ## See next From d36e245b91433239a23828e915e1211b10c48ff1 Mon Sep 17 00:00:00 2001 From: Siddarth Mandalika Date: Mon, 8 Aug 2022 17:06:55 +0530 Subject: [PATCH 72/77] Update build-a-distributed-environment-for-windows-10-deployment.md --- ...build-a-distributed-environment-for-windows-10-deployment.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md index 619447fac2..ccf4df0e57 100644 --- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md +++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md @@ -1,6 +1,6 @@ --- title: Build a distributed environment for Windows 10 deployment (Windows 10) - Date: Mon, 8 Aug 2022 12:37:50 -0400 Subject: [PATCH 73/77] Update hello-errors-during-pin-creation.md updated the description, fixing minor issues --- .../hello-for-business/hello-errors-during-pin-creation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md index 592e53bc19..d7987dc9bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md +++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md @@ -70,7 +70,7 @@ If the error occurs again, check the error code against the following table to s | 0x801C044D | Authorization token does not contain device ID. | Unjoin the device from Azure AD and rejoin. | | | Unable to obtain user token. | Sign out and then sign in again. Check network and credentials. | | 0x801C044E | Failed to receive user credentials input. | Sign out and then sign in again. | -| 0xC00000BB | Something went wrong and you PIN isn’t available. Or That option is temporarily unavailable. For now, please use a different method to sign in. | Destination domain controller doesn't support the login, most likely KDC service dont have proper certificate to support the login.| +| 0xC00000BB | Your PIN or this option is temporarily unavailable.| The destination domain controller doesn't support the login method. Most often the KDC service doesn't have the proper certificate to support the login. Use a different login method.| From ab39b0047c32ff3ad5a9b3d71db48e5a2a02a5d2 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Mon, 25 Jul 2022 11:02:50 -0400 Subject: [PATCH 74/77] Cherry pick Changes for #9917 --- ...e-logon-message-text-for-users-attempting-to-log-on.md | 6 ++---- ...-logon-message-title-for-users-attempting-to-log-on.md | 8 +++----- 2 files changed, 5 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md index 2f384a46fc..09e60e2f2b 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive Logon Message text (Windows 10) description: Learn about best practices, security considerations and more for the security policy setting, Interactive logon Message text for users attempting to log on. ms.assetid: fcfe8a6d-ca65-4403-b9e6-2fa017a31c2e -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -32,9 +32,7 @@ The **Interactive logon: Message text for users attempting to log on** and [Inte **Interactive logon: Message text for users attempting to log on** specifies a text message to be displayed to users when they sign in. -**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +**Interactive logon: Message title for users attempting to log on** specifies a title to appear in the title bar of the window that contains the text message. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in to the server console. diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md index ab20a8f979..b16fd3bff2 100644 --- a/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md +++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md @@ -2,7 +2,7 @@ title: Interactive logon Message title for users attempting to log on (Windows 10) description: Best practices, security considerations, and more for the security policy setting, Interactive logon Message title for users attempting to log on. ms.assetid: f2596470-4cc0-4ef1-849c-bef9dc3533c6 -ms.reviewer: +ms.reviewer: ms.author: dansimp ms.prod: m365-security ms.mktglfcycl: deploy @@ -30,9 +30,7 @@ Describes the best practices, location, values, policy management and security c This security setting allows you to specify a title that appears in the title bar of the window that contains the **Interactive logon: Message title for users attempting to log on**. This text is often used for legal reasons—for example, to warn users about the ramifications of misusing company information, or to warn them that their actions might be audited. -The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. - -Not using this warning-message policy setting leaves your organization legally vulnerable to trespassers who unlawfully penetrate your network. Legal precedents have established that organizations that display warnings to users who connect to their servers over a network have a higher rate of successfully prosecuting trespassers. +The **Interactive logon: Message title for users attempting to log on** and [Interactive logon: Message text for users attempting to log on](interactive-logon-message-text-for-users-attempting-to-log-on.md) policy settings are closely related. **Interactive logon: Message title for users attempting to log on** specifies a message title to be displayed to users when they log on. This text is often used for legal reasons, for example, to warn users about the ramifications of misusing company information or to warn them that their actions may be audited. When these policy settings are configured, users will see a dialog box before they can sign in the server console. @@ -43,7 +41,7 @@ When these policy settings are configured, users will see a dialog box before th ### Best practices -1. It's advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one of the following values: +1. It is advisable to set **Interactive logon: Message title for users attempting to log on** to a value similar to one the following: - RESTRICTED SYSTEM From 6c37b3f420866c66367d6998c17feef6fa214327 Mon Sep 17 00:00:00 2001 From: Jitin Mathew Date: Mon, 8 Aug 2022 23:09:11 +0530 Subject: [PATCH 75/77] Updated-6247330 Redirection file entry updated to resolve validation error. --- .openpublishing.redirection.json | 1 + 1 file changed, 1 insertion(+) diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index bdc9f68fb9..afe30ff75b 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -19594,6 +19594,7 @@ "source_path": "windows/deployment/update/waas-delivery-optimization-faq.md", "redirect_url": "/windows/deployment/do/waas-delivery-optimization-faq", "redirect_document_id": false + }, { "source_path": "windows/security/identity-protection/access-control/security-identifiers.md", "redirect_url": "/windows-server/identity/ad-ds/manage/understand-security-identifiers", From 4536c4f0fe229a5c9117ca6864c00c2cd6122567 Mon Sep 17 00:00:00 2001 From: tiaraquan Date: Mon, 8 Aug 2022 12:50:26 -0700 Subject: [PATCH 76/77] Aligning TOC name with article name. --- windows/deployment/windows-autopatch/TOC.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/TOC.yml b/windows/deployment/windows-autopatch/TOC.yml index c6e175c270..ecc4111a9c 100644 --- a/windows/deployment/windows-autopatch/TOC.yml +++ b/windows/deployment/windows-autopatch/TOC.yml @@ -35,7 +35,7 @@ - name: Operate href: operate/index.md items: - - name: Update management + - name: Software update management href: operate/windows-autopatch-update-management.md items: - name: Windows updates From a500a48dcd7d91a34ee4cfb57c6cb569bfdd26a2 Mon Sep 17 00:00:00 2001 From: jsuther1974 Date: Tue, 9 Aug 2022 08:00:58 -0700 Subject: [PATCH 77/77] Improved documentation for reference computer scenarios. --- .../create-initial-default-policy.md | 134 ++++++++++++------ ...e-wdac-policy-for-fully-managed-devices.md | 7 +- 2 files changed, 97 insertions(+), 44 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 2d31e8f0f7..f9b070ff3b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -1,6 +1,6 @@ --- -title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows) -description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide. +title: Create a WDAC policy using a reference computer (Windows) +description: To create a Windows Defender Application Control (WDAC) policy that allows all code installed on a reference computer within your organization, follow this guide. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.prod: m365-security @@ -11,83 +11,133 @@ ms.localizationpriority: medium audience: ITPro ms.collection: M365-security-compliance author: jsuther1974 -ms.reviewer: isbrahm +ms.reviewer: jogeurte ms.author: dansimp manager: dansimp -ms.date: 05/03/2018 +ms.date: 08/08/2022 ms.technology: windows-sec --- -# Create a WDAC policy for fixed-workload devices using a reference computer +# Create a WDAC policy using a reference computer **Applies to:** -- Windows 10 -- Windows 11 -- Windows Server 2016 and above +- Windows 10 +- Windows 11 +- Windows Server 2016 and above >[!NOTE] >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). -This section outlines the process to create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. - -For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. -Then create the WDAC policy by scanning the system for installed applications. -The policy file is converted to binary format when it gets created so that Windows can interpret it. - -## Overview of the process of creating Windows Defender Application Control policies - -A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Windows Defender Application Control policies follow a similar methodology that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of more WDAC policies based on what should be allowed to be installed and run and for whom. For more information on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md). - -Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed. - -If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). +This section outlines the process to create a Windows Defender Application Control (WDAC) policy **using a reference computer** that is already configured with the software you want to allow. You can use this approach for fixed-workload devices that are dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. This approach can also be used to turn on WDAC on systems "in the wild" and you want to minimize the potential impact on users' productivity. > [!NOTE] -> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. +> Some of the Windows Defender Application Control options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs. -Each installed software application should be validated as trustworthy before you create a policy. -We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. -Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. -You can remove or disable such software on the reference computer. +As described in [common Windows Defender Application Control deployment scenarios](types-of-devices.md), we'll use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices. -To create a Windows Defender Application Control policy, copy each of the following commands into an elevated Windows PowerShell session, in order: +**Alice Pena** is the IT team lead tasked with the rollout of WDAC. -1. Initialize variables that you'll use. +## Create a custom base policy using a reference device + +Alice previously created a policy for the organization's fully managed end-user devices. She now wants to use WDAC to protect Lamna's critical infrastructure servers. Lamna's imaging practice for infrastructure systems is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone more company assets. Alice decides to use these same "golden" image systems to create the WDAC policies, which will result in separate custom base policies for each type of infrastructure server. As with imaging, she'll have to create policies from multiple golden computers based on model, department, application set, and so on. + +> [!NOTE] +> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.

                            Each installed software application should be validated as trustworthy before you create a policy.

                            We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you don't want to run scripts. You can remove or disable such software on the reference computer. + +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's critical infrastructure servers: + +- All devices are running Windows Server 2019 or above; +- All apps are centrally managed and deployed; +- No interactive users. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. **“Windows works”** rules that authorize: + - Windows + - WHQL (third-party kernel drivers) + - Windows Store signed apps + +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +To create the WDAC policy, Alice runs each of the following commands in an elevated Windows PowerShell session, in order: + +1. Initialize variables. ```powershell $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName="FixedWorkloadPolicy_Audit" - $WDACPolicy=$PolicyPath+$PolicyName+".xml" - $WDACPolicyBin=$PolicyPath+$PolicyName+".bin" + $LamnaServerPolicy=$PolicyPath+$PolicyName+".xml" + $DefaultWindowsPolicy=$env:windir+"\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml" + ``` 2. Use [New-CIPolicy](/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications: ```powershell - New-CIPolicy -Level PcaCertificate -FilePath $WDACPolicy –UserPEs 3> CIPolicyLog.txt + New-CIPolicy -FilePath $LamnaServerPolicy -Level SignedVersion -Fallback FilePublisher,FileName,Hash -ScanPath c:\ -UserPEs -MultiplePolicyFormat -OmitPaths c:\Windows,'C:\Program Files\WindowsApps\',c:\windows.old\,c:\users\ 3> CIPolicyLog.txt ``` > [!Note] - > - > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. - > - You can add the **-MultiplePolicyFormat** parameter when creating policies which will be deployed to computers which are running Windows build 1903+. For more information about multiple policies, see [Deploy multiple Windows Defender Application Control policies](deploy-multiple-windows-defender-application-control-policies.md). + > > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md). - > > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the tool will scan the C-drive by default. - > + > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. If you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers. In other words, the allow list will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. + > - To create a policy for Windows 10 1903 and above, including support for supplemental policies, use **-MultiplePolicyFormat**. + > - To specify a list of paths to exclude from the scan, use the **-OmitPaths** option and supply a comma-delimited list of paths. > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**. -3. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: +3. Merge the new policy with the WindowsDefault_Audit policy to ensure all Windows binaries and kernel drivers will load. + + ```powershell + Merge-CIPolicy -OutputFilePath $LamnaServerPolicy -PolicyPaths $LamnaServerPolicy,$DefaultWindowsPolicy + ``` + +4. Give the new policy a descriptive name, and initial version number: + + ```powershell + Set-CIPolicyIdInfo -FilePath $LamnaServerPolicy -PolicyName $PolicyName + Set-CIPolicyVersion -FilePath $LamnaServerPolicy -Version "1.0.0.0" + ``` + +5. Modify the merged policy to set policy rules: + + ```powershell + Set-RuleOption -FilePath $LamnaServerPolicy -Option 3 # Audit Mode + Set-RuleOption -FilePath $LamnaServerPolicy -Option 6 # Unsigned Policy + Set-RuleOption -FilePath $LamnaServerPolicy -Option 9 # Advanced Boot Menu + Set-RuleOption -FilePath $LamnaServerPolicy -Option 12 # Enforce Store Apps + Set-RuleOption -FilePath $LamnaServerPolicy -Option 16 # No Reboot + Set-RuleOption -FilePath $LamnaServerPolicy -Option 17 # Allow Supplemental + Set-RuleOption -FilePath $LamnaServerPolicy -Option 19 # Dynamic Code Security + ``` + +6. If appropriate, add more signer or file rules to further customize the policy for your organization. + +7. Use [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format: ```powershell - ConvertFrom-CIPolicy $WDACPolicy $WDACPolicyBin + [xml]$LamnaServerPolicyXML = Get-Content $LamnaServerPolicy + $PolicyId = $LamnaServerPolicyXML.SiPolicy.PolicyId + $LamnaServerPolicyBin = $PolicyPath+$PolicyId+".cip" + ConvertFrom-CIPolicy $LamnaServerPolicy $LamnaServerPolicyBin ``` -After you complete these steps, the WDAC binary file ($WDACPolicyBin) and original .xml file ($WDACPolicy) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for more security. +8. Upload the base policy XML and the associated binary to a source control solution such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration). -> [!NOTE] -> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md). +Alice now has an initial policy for Lamna's critical infrastructure servers that is ready to deploy in audit mode. -We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md). +## Create a custom base policy to minimize user impact on in-use client devices +Alice previously created a policy for the organization's fully managed devices. Alice has included the fully managed device policy as part of Lamna's device build process so all new devices now begin with WDAC enabled. She's preparing to deploy the policy to systems that are already in use, but is worried about causing disruption to users' productivity. To minimize that risk, Alice decides to take a different approach for those systems. She'll continue to deploy the fully managed device policy in audit mode to those devices, but for enforcement mode she'll merge the fully managed device policy rules with a policy created by scanning the device for all previously installed software. In this way, each device is treated as its own "golden" system. +Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed in-use devices: + +- Everything described for Lamna's [Fully Managed Devices](create-wdac-policy-for-fully-managed-devices.md); +- Users have installed apps that they need to continue to run. + +Based on the above, Alice defines the pseudo-rules for the policy: + +1. Everything included in the Fully Managed Devices policy +2. Rules for **scanned files** that authorize all pre-existing app binaries found on the device + +For Lamna's existing, in-use devices, Alice deploys a script along with the Fully Managed Devices policy XML (not the converted WDAC policy binary). The script then generates a custom policy locally on the client as described in the previous section, but instead of merging with the DefaultWindows policy, the script merges with Lamna's Fully Managed Devices policy. Alice also modifies the steps above to match the requirements of this different use case. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 7cd08be428..2d13639669 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -82,8 +82,9 @@ Alice follows these steps to complete this task: 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables: ```powershell + $PolicyPath=$env:userprofile+"\Desktop\" $PolicyName= "Lamna_FullyManagedClients_Audit" - $LamnaPolicy=$env:userprofile+"\Desktop\"+$PolicyName+".xml" + $LamnaPolicy=$PolicyPath+$PolicyName+".xml" $MEMCMPolicy=$env:windir+"\CCM\DeviceGuard\MergedPolicy_Audit_ISG.xml" ``` @@ -121,7 +122,9 @@ Alice follows these steps to complete this task: > In the sample commands below, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. ```powershell - $WDACPolicyBin=$env:userprofile+"\Desktop\"+$PolicyName+"_{InsertPolicyID}.bin" + [xml]$LamnaPolicyXML = Get-Content $LamnaPolicy + $PolicyId = $LamnaPolicyXML.SiPolicy.PolicyId + $LamnaPolicyBin = $PolicyPath+$PolicyId+".cip" ConvertFrom-CIPolicy $LamnaPolicy $WDACPolicyBin ```