From 0e4ad812681d2e3c56ea8a05923bf8d6f7661601 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Wed, 25 Mar 2020 16:45:18 +0500 Subject: [PATCH 01/20] Update hello-cert-trust-adfs.md --- .../hello-for-business/hello-cert-trust-adfs.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md index f42095fd31..a51e3b166f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md @@ -75,8 +75,9 @@ Sign-in the federation server with domain administrator equivalent credentials. 6. On the **Request Certificates** page, Select the **Internal Web Server** check box. 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png) -8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Click **OK** when finished. -9. Click **Enroll**. +8. Under **Subject name**, select **Common Name** from the **Type** list. Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**. +9. Under **Alternative name**, select **DNS** from the **Type** list. Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role. Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished. +10. Click **Enroll**. A server authentication certificate should appear in the computer’s Personal certificate store. From 622be6d6f36018fbc8b307b1bb28af0ec78635d4 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Tue, 12 May 2020 08:18:03 +0500 Subject: [PATCH 02/20] Update hello-cert-trust-validate-pki.md --- .../hello-for-business/hello-cert-trust-validate-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md index 067d2d3504..3fc4c88711 100644 --- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md @@ -150,7 +150,7 @@ Domain controllers automatically request a certificate from the domain controlle 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. 12. Click **OK**. Close the **Group Policy Management Editor**. From bb189ac1efcf8b5f016383f7e1139584d1c28989 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Sun, 17 May 2020 11:51:36 +0500 Subject: [PATCH 03/20] Update troubleshoot-inaccessible-boot-device.md --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 5556b97262..e2b6c3237a 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -113,7 +113,7 @@ To verify the BCD entries: 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the **bootmgr** and **winload** entries under **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the filepath value specified in **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) From 2337ec145edbbea78466ab156781f1de5fe42f11 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 18 May 2020 11:14:02 +0500 Subject: [PATCH 04/20] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index e2b6c3237a..9f98c2a73c 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -110,7 +110,7 @@ To verify the BCD entries: >[!NOTE] >This output may not contain a path. -2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device** , **path** , **osdevice,** and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. +2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] > If the computer is UEFI-based, the filepath value specified in **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. From f623eec27f374e087d8318385adda65213d669e9 Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Mon, 18 May 2020 11:14:28 +0500 Subject: [PATCH 05/20] Update windows/client-management/troubleshoot-inaccessible-boot-device.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../client-management/troubleshoot-inaccessible-boot-device.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md index 9f98c2a73c..667776a7f8 100644 --- a/windows/client-management/troubleshoot-inaccessible-boot-device.md +++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md @@ -113,7 +113,7 @@ To verify the BCD entries: 2. In the **Windows Boot Loader** that has the **{default}** identifier, make sure that **device**, **path**, **osdevice**, and **systemroot** point to the correct device or partition, winload file, OS partition or device, and OS folder. > [!NOTE] - > If the computer is UEFI-based, the filepath value specified in **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. + > If the computer is UEFI-based, the filepath value specified in the **path** parameter of **{bootmgr}** and **{default}** will contain an **.efi** extension. ![bcdedit](images/screenshot1.png) From dd11d5503112f1c07e8f0161e977bcd509fe7f52 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 26 May 2020 16:29:15 -0700 Subject: [PATCH 06/20] Update wd-app-guard-overview.md --- .../wd-app-guard-overview.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 390bee5992..0ab4ff9f5c 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Guard (Windows 10) -description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +title: Microsoft Defender Application Guard (Windows 10) +description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,11 +14,11 @@ manager: dansimp ms.custom: asr --- -# Windows Defender Application Guard overview +# Microsoft Defender Application Guard overview **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -44,8 +44,8 @@ Application Guard has been created to target several types of systems: |Article |Description | |------|------------| -|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| -|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| -|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| -|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| -|[Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| \ No newline at end of file +|[System requirements for Microsoft Defender Application Guard](reqs-wd-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.| +|[Prepare and install Microsoft Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| +|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| +|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| +|[Frequently asked questions - Microsoft Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| From d25675b2c9c9b81c7c7b74a1c7372f3a873ae34d Mon Sep 17 00:00:00 2001 From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com> Date: Thu, 28 May 2020 09:41:18 +0500 Subject: [PATCH 07/20] Update advanced-hunting-overview.md --- .../microsoft-defender-atp/advanced-hunting-overview.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md index 0a28ea14cd..977cd7c2dc 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md +++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview.md @@ -23,7 +23,7 @@ ms.topic: article >Want to experience Microsoft Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhunting-abovefoldlink) -Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. +Advanced hunting is a query-based threat-hunting tool that lets you explore raw data for the last 30 days. You can proactively inspect events in your network to locate interesting indicators and entities. The flexible access to data facilitates unconstrained hunting for both known and potential threats. You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and respond to various events and system states, including suspected breach activity and misconfigured machines. @@ -54,4 +54,4 @@ Take advantage of the following functionality to write queries faster: - [Use shared queries](advanced-hunting-shared-queries.md) - [Understand the schema](advanced-hunting-schema-reference.md) - [Apply query best practices](advanced-hunting-best-practices.md) -- [Custom detections overview](overview-custom-detections.md) \ No newline at end of file +- [Custom detections overview](overview-custom-detections.md) From 3da5f277f2167b1c99cd15b1fc9c33fdc3feed5b Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:04:26 -0700 Subject: [PATCH 08/20] Update faq-wd-app-guard.md --- .../faq-wd-app-guard.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 1e8839b354..cccc536c12 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -92,3 +92,12 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca ### Why does my encryption driver break Windows Defender Application Guard? Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). + +### Why do the Network Isolation policies in Group Policy and CSP look different? + +There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatary network isolation policies to deploy WDAG are different between CSP and GP. + +Mandatory network isolation GP policy to deploy WDAG: "DomainSubnets or CloudResources" +Mandatory network isolation CSP policy to deploy WDAG: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)" +For EnterpriseNetworkDomainNames, there is no mapped CSP policy. + From 0c531dd4906868ff63aa5bd0e5ae02a54c157056 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:41:05 -0700 Subject: [PATCH 09/20] Update wd-app-guard-overview.md --- .../wd-app-guard-overview.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md index 390bee5992..799cbc5386 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md +++ b/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md @@ -1,6 +1,6 @@ --- -title: Windows Defender Application Guard (Windows 10) -description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. +title: Microsoft Defender Application Guard (Windows 10) +description: Learn about Microsoft Defender Application Guard and how it helps to combat malicious content and malware out on the Internet. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,11 +14,11 @@ manager: dansimp ms.custom: asr --- -# Windows Defender Application Guard overview +# Microsoft Defender Application Guard overview **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. +Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete. ## What is Application Guard and how does it work? @@ -48,4 +48,4 @@ Application Guard has been created to target several types of systems: |[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.| |[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.| |[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.| -|[Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| \ No newline at end of file +|[Frequently asked questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.| From 9a2f04de673938a0828a6d98f639ce660d23bba9 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:42:16 -0700 Subject: [PATCH 10/20] Update reqs-wd-app-guard.md --- .../reqs-wd-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index ca449ea92c..0f700a7b26 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: System requirements for Windows Defender Application Guard (Windows 10) -description: Learn about the system requirements for installing and running Windows Defender Application Guard. +title: System requirements for Microsoft Defender Application Guard (Windows 10) +description: Learn about the system requirements for installing and running Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,17 +14,17 @@ manager: dansimp ms.custom: asr --- -# System requirements for Windows Defender Application Guard +# System requirements for Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. >[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Windows Defender Application Guard. +Your environment needs the following hardware to run Microsoft Defender Application Guard. |Hardware|Description| |--------|-----------| From e907e77e00ab41799bd645654d8e9d95dad0d084 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:43:10 -0700 Subject: [PATCH 11/20] Update install-wd-app-guard.md --- .../install-wd-app-guard.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md index e5630f24a3..2ef6c54364 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard.md @@ -1,6 +1,6 @@ --- title: Enable hardware-based isolation for Microsoft Edge (Windows 10) -description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. +description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,19 +14,19 @@ manager: dansimp ms.custom: asr --- -# Prepare to install Windows Defender Application Guard +# Prepare to install Microsoft Defender Application Guard **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) ## Review system requirements -See [System requirements for Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. +See [System requirements for Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard) to review the hardware and software installation requirements for Windows Defender Application Guard. >[!NOTE] ->Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. +>Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. -## Prepare for Windows Defender Application Guard -Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. +## Prepare for Microsoft Defender Application Guard +Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode. ### Standalone mode From 96525e83294719c72416ca3b5eaef2563a4199e9 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:43:57 -0700 Subject: [PATCH 12/20] Update configure-wd-app-guard.md --- .../configure-wd-app-guard.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5020c63596..e3871020d7 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10) -description: Learn about the available Group Policy settings for Windows Defender Application Guard. +title: Configure the Group Policy settings for Microsoft Defender Application Guard (Windows 10) +description: Learn about the available Group Policy settings for Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,12 +14,12 @@ manager: dansimp ms.custom: asr --- -# Configure Windows Defender Application Guard policy settings +# Configure Microsoft Defender Application Guard policy settings **Applies to:** - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. +Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain. Application Guard uses both network isolation and application-specific settings. From 04e7635fb0cd233efb999ad9033fe3527f35817c Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:44:50 -0700 Subject: [PATCH 13/20] Update test-scenarios-wd-app-guard.md --- .../test-scenarios-wd-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md index a5eebdf2a2..f380bebaa0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: Testing scenarios with Windows Defender Application Guard (Windows 10) -description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. +title: Testing scenarios with Microsoft Defender Application Guard (Windows 10) +description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library From da785f2a13a33fdf2ff276866417d1b37ce01d67 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:45:31 -0700 Subject: [PATCH 14/20] Update faq-wd-app-guard.md --- .../faq-wd-app-guard.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 1e8839b354..f410bb38de 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -1,6 +1,6 @@ --- -title: FAQ - Windows Defender Application Guard (Windows 10) -description: Learn about the commonly asked questions and answers for Windows Defender Application Guard. +title: FAQ - Microsoft Defender Application Guard (Windows 10) +description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard. ms.prod: w10 ms.mktglfcycl: manage ms.sitesec: library @@ -14,11 +14,11 @@ manager: dansimp ms.custom: asr --- -# Frequently asked questions - Windows Defender Application Guard +# Frequently asked questions - Microsoft Defender Application Guard **Applies to:** [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) -Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. +Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration. ## Frequently Asked Questions From 3d76e12ffd2498f10fd9c41ee08d1741119f3953 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:50:24 -0700 Subject: [PATCH 15/20] Update configure-wd-app-guard.md --- .../configure-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md index 5020c63596..e78a0079f6 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md @@ -36,7 +36,7 @@ These settings, located at **Computer Configuration\Administrative Templates\Net |-----------|------------------|-----------| |Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.| |Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| -|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| +|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. Proxies should be added to this list. Note: This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.| ## Network isolation settings wildcards From 68d4ad7ae04d7ba38d7a4e60cb9c401cf836ba14 Mon Sep 17 00:00:00 2001 From: Rona Song <38082753+qrscharmed@users.noreply.github.com> Date: Tue, 2 Jun 2020 00:54:57 -0700 Subject: [PATCH 16/20] Update faq-wd-app-guard.md --- .../windows-defender-application-guard/faq-wd-app-guard.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 1e8839b354..6fc40a60b0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -92,3 +92,7 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca ### Why does my encryption driver break Windows Defender Application Guard? Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). + +### Why did Application Guard stop working after I turned on hyperthreading? + +If hyperthreading is disabled (either with KB or through BIOS), there may be a possibility Application Guard will no longer meet the minimum requirements. From 3a52c98053cf6dd74c29b322e4de0c2ca93c42bd Mon Sep 17 00:00:00 2001 From: illfated Date: Tue, 2 Jun 2020 19:56:00 +0200 Subject: [PATCH 17/20] Security/Threat protection: password length values Description: As requested by Program Manager Robert Durff (MSRobertD) in issue ticket #6856 (Bug: Password length value range is inaccurate.), the upper value for the supported values for password length should be 20 instead of only 14, verified in preliminary field testing of the GPO Password Policy, described on this page. The actual upper limit may very well be higher, but 20 is a reasonable value to be used for now, until someone documents the need for higher accuracy in the documentation of this value for the GPO Password Policy. Changes proposed: - Replace 14 with 20 in both occurrences of 14 as the upper value - Convert Note text in line 83 to a MarkDown Note blob (MS codestyle) - Whitespace adjustments: - Normalize bullet point list spacing to 1 (codestyle) (3 lines) - Remove redundant end-of-line spacing (8 lines) Ticket closure or reference: Closes #6856 --- .../minimum-password-length.md | 27 ++++++++++--------- 1 file changed, 14 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md index 7917efbce4..b57e36e03e 100644 --- a/windows/security/threat-protection/security-policy-settings/minimum-password-length.md +++ b/windows/security/threat-protection/security-policy-settings/minimum-password-length.md @@ -20,18 +20,18 @@ ms.date: 04/19/2017 # Minimum password length **Applies to** -- Windows 10 +- Windows 10 Describes the best practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting. ## Reference -The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 14 characters, or you can establish that no password is required by setting the number of characters to 0. +The **Minimum password length** policy setting determines the least number of characters that can make up a password for a user account. You can set a value of between 1 and 20 characters, or you can establish that no password is required by setting the number of characters to 0. ### Possible values -- User-specified number of characters between 0 and 14 -- Not defined +- User-specified number of characters between 0 and 20 +- Not defined ### Best practices @@ -51,13 +51,13 @@ The following table lists the actual and effective default policy values. Defaul | Server type or Group Policy Object (GPO) | Default value | | - | - | -| Default domain policy| 7 characters| -| Default domain controller policy | Not defined| -| Stand-alone server default settings | 0 characters| -| Domain controller effective default settings | 7 characters| -| Member server effective default settings | 7 characters| -| Effective GPO default settings on client computers | 0 characters| - +| Default domain policy| 7 characters| +| Default domain controller policy | Not defined| +| Stand-alone server default settings | 0 characters| +| Domain controller effective default settings | 7 characters| +| Member server effective default settings | 7 characters| +| Effective GPO default settings on client computers | 0 characters| + ## Policy management This section describes features, tools, and guidance to help you manage this policy. @@ -80,8 +80,9 @@ Configure the **** policy setting to a value of 8 or more. If the number of char In most environments, we recommend an eight-character password because it is long enough to provide adequate security, but not too difficult for users to easily remember. This configuration provides adequate defense against a brute force attack. Using the [Password must meet complexity requirements](password-must-meet-complexity-requirements.md) policy setting in addition to the **Minimum password length** setting helps reduce the possibility of a dictionary attack. ->**Note:**  Some jurisdictions have established legal requirements for password length as part of establishing security regulations. - +> [!NOTE] +> Some jurisdictions have established legal requirements for password length as part of establishing security regulations. + ### Potential impact Requirements for extremely long passwords can actually decrease the security of an organization because users might leave the information in an unsecured location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of Help Desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about passphrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover. From 21b393ec12358d73b60e85822e8f350004941db1 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 2 Jun 2020 11:46:00 -0700 Subject: [PATCH 18/20] Update faq-wd-app-guard.md --- .../windows-defender-application-guard/faq-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 6fc40a60b0..3f305282d0 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -93,6 +93,6 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). -### Why did Application Guard stop working after I turned on hyperthreading? +### Why did Application Guard stop working after I turned off hyperthreading? If hyperthreading is disabled (either with KB or through BIOS), there may be a possibility Application Guard will no longer meet the minimum requirements. From 1da415b64d23fc04ed2df11a923ea31b6235da86 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Tue, 2 Jun 2020 12:12:46 -0700 Subject: [PATCH 19/20] Update faq-wd-app-guard.md --- .../faq-wd-app-guard.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 3f305282d0..de036bc4dd 100644 --- a/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 12/04/2019 +ms.date: 06/02/2020 ms.reviewer: manager: dansimp ms.custom: asr @@ -83,7 +83,7 @@ To trust a subdomain, you must precede your domain with two dots, for example: ` ### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise? -When using Windows Pro or Windows Enterprise, you will have access to using Application Guard's Standalone Mode. However, when using Enterprise you will have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). +When using Windows Pro or Windows Enterprise, you have access to using Application Guard's Standalone Mode. However, when using Windows Enterprise, you have access to Application Guard's Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Windows Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard). ### Is there a size limit to the domain lists that I need to configure? @@ -91,8 +91,8 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca ### Why does my encryption driver break Windows Defender Application Guard? -Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). +Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message (`0x80070013 ERROR_WRITE_PROTECT`). ### Why did Application Guard stop working after I turned off hyperthreading? -If hyperthreading is disabled (either with KB or through BIOS), there may be a possibility Application Guard will no longer meet the minimum requirements. +If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements. From 54e20894b4e9d3bc48ddc631984bdb9909e2a4b9 Mon Sep 17 00:00:00 2001 From: Steven DeQuincey <54139783+stdequin@users.noreply.github.com> Date: Wed, 3 Jun 2020 10:33:09 +0100 Subject: [PATCH 20/20] Updated faq Added in partner question on moving devices between orgs and needing to deregister a device, --- windows/deployment/windows-autopilot/autopilot-faq.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopilot/autopilot-faq.md b/windows/deployment/windows-autopilot/autopilot-faq.md index 616f6b21ce..1cbfeeb11b 100644 --- a/windows/deployment/windows-autopilot/autopilot-faq.md +++ b/windows/deployment/windows-autopilot/autopilot-faq.md @@ -144,6 +144,7 @@ A [glossary](#glossary) of abbreviations used in this article is provided at the | What are some common causes of registration failures? |1. Bad or missing hardware hash entries can lead to faulty registration attempts
2. Hidden special characters in CSV files.

To avoid this issue, after creating your CSV file, open it in Notepad to look for hidden characters or trailing spaces or other corruptions.| | Is Autopilot supported on IoT devices? | Autopilot is not supported on IoT Core devices, and there are currently no plans to add this support. Autopilot is supported on Windows 10 IoT Enterprise SAC devices. Autopilot is supported on Windows 10 Enterprise LTSC 2019 and above; it is not supported on earlier versions of LTSC.| | Is Autopilot supported in all regions/countries? | Autopilot only supports customers using global Azure. Global Azure does not include the three entities listed below:
- Azure Germany
- Azure China 21Vianet
- Azure Government
So, if a customer is set up in global Azure, there are no region restrictions. For example, if Contoso uses global Azure but has employees working in China, the Contoso employees working in China would be able to use Autopilot to deploy devices. If Contoso uses Azure China 21Vianet, the Contoso employees would not be able to use Autopilot.| +| I need to register a device that's been previously registered to another organisation. | Partners registering devices through partner center can also deregister the device if it's moving between different customer tenants. If this isn't possible, as a last resort you can raise a ticket through the Intune "Help and Support" node and our support teams will assist you. | ## Glossary