deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr

Browse Source
This commit is contained in:
Siddarth Mandalika 2021-08-11 12:36:24 +05:30
commit d40e86f69b
49 changed files with 532 additions and 150 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
bcs/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-365/business/breadcrumb/toc.json",
"extendBreadcrumb": true,
"contributors_to_exclude": [

1
browsers/edge/docfx.json
View File

@ -27,6 +27,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-edge/deploy/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "microsoft-edge",

1
browsers/internet-explorer/docfx.json
View File

@ -23,6 +23,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/internet-explorer/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",

1
devices/hololens/docfx.json
View File

@ -30,6 +30,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/hololens/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
devices/surface-hub/docfx.json
View File

@ -24,6 +24,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface-hub/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
devices/surface/docfx.json
View File

@ -22,6 +22,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/surface/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
education/docfx.json
View File

@ -26,6 +26,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "windows-education",
"ms.topic": "article",

1
gdpr/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"author": "eross-msft",
"ms.author": "lizross",
"feedback_system": "GitHub",

1
mdop/docfx.json
View File

@ -22,6 +22,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-desktop-optimization-pack/breadcrumb/toc.json",
"ROBOTS": "INDEX, FOLLOW",
"ms.technology": "windows",

1
smb/docfx.json
View File

@ -29,6 +29,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/smb/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"feedback_system": "None",

143
store-for-business/device-guard-signing-portal.md
View File

@ -17,6 +17,11 @@ ms.date: 07/21/2021
# Device Guard signing
**Applies to**
- Windows 10
- Windows 10 Mobile
> [!IMPORTANT]
> Microsoft Store for Business and Microsoft Store for Education will be retired in the first quarter of 2023. You can continue to use the current capabilities of free apps until that time. For more information about this change, see [Evolving the Microsoft Store for Business and Education](https://aka.ms/windows/msfb_evolution).
@ -37,13 +42,7 @@ ms.date: 07/21/2021
>
> For any questions, please contact us at DGSSMigration@microsoft.com.
**Applies to**
- Windows 10
- Windows 10 Mobile
Device Guard signing is a Device Guard feature that is available in Microsoft Store for Business and Education. It gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard signing is a Device Guard feature that gives admins a single place to sign catalog files and code integrity policies. After admins have created catalog files for unsigned apps and signed the catalog files, they can add the signers to a code integrity policy. You can merge the code integrity policy with your existing policy to include your custom signing certificate. This allows you to trust the catalog files.
Device Guard is a feature set that consists of both hardware and software system integrity hardening features. These features use new virtualization-based security options and the trust-nothing mobile device operating system model. A key feature in this model is called configurable code integrity, which allows your organization to choose exactly which software or trusted software publishers are allowed to run code on your client machines. Also, Device Guard offers organizations a way to sign existing line-of-business (LOB) applications so that they can trust their own code, without the requirement that the application be repackaged. Also, this same method of signing allows organizations to trust individual third-party applications. For more information, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
@ -54,6 +53,132 @@ Device Guard is a feature set that consists of both hardware and software system
| [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md) | When you want to add an unsigned app to a code integrity policy, you need to start with a code integrity policy created from a reference device. Then, create the catalog files for your unsigned app, sign the catalog files, and then merge the default policy that includes your signing certificate with existing code integrity policies. |
| [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md) | Signing code integrity policies prevents policies from being tampered with after they're deployed. You can sign code integrity policies with the Device Guard signing portal. |
## Device Guard Signing Service (v2) PowerShell Commands
> [!NOTE]
> [.. common ..] are parameters common across all commands that are documented below the command definitions.
**Get-DefaultPolicy** Gets the default .xml policy file associated with the current tenant.
- Usage:
```powershell
Get-DefaultPolicy -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the default policy file should be persisted to disk. The file name should be an .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an XmlDocument object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-RootCertificate** Gets the root certificate for the current tenant. All Authenticode and policy signing certificates will eventually chain up to this root certificate.
- Usage:
```powershell
Get-RootCertificate -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the root certificate file should be persisted to disk. The file name should be a .cer file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns an X509Certificate2 object returning the default policy file.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Get-SigningHistory** Gets information for the latest 100 files signed by the current tenant. Results are returned as a collection with elements in reverse chronological order (most recent to least recent).
- Usage:
```powershell
Get-SigningHistory -OutFile filename [-PassThru] [.. common ..]
```
- Parameters:
**OutFile** - string, mandatory - The filename where the signing history file should be persisted to disk. The file name should be a .xml file. If the file already exists, it will be overwritten (note: create the folder first).
**PassThru** - switch, optional - If present, returns XML objects returning the XML file.
- Command running time:
The average running time is under 10 seconds.
**Submit-SigningJob** Submits a file to the service for signing and timestamping. The module supports valid file type for Authenticode signing is Catalog file (.cat). Valid file type for policy signing is binary policy files with the extension (.bin) that have been created via the ConvertFrom-CiPolicy cmdlet. Otherwise, binary policy file may not be deployed properly.
- Usage:
```powershell
Submit-SigningJob -InFile filename -OutFile filename [-NoTimestamp][- TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.cat or .bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten. (note: create the folder first)
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build rocess the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
**Submit-SigningV1MigrationPolicy** Submits a file to the service for signing and timestamping. The only valid file type for policy
signing is binary policy files with the extension (.bin) that have been created via the [ConvertFromCiPolicy](/powershell/module/configci/convertfrom-cipolicy?view=windowsserver2019-ps&viewFallbackFrom=win10-ps) cmdlet. Otherwise, binary policy file may not be deployed properly. Note: Only use for V1 migration.
- Usage:
```powershell
Submit-SigningV1MigrationPolicy -InFile filename -OutFile filename [-NoTimestamp][-TimeStamperUrl "timestamper url"] [-JobDescription "description"] [.. common ..]
```
- Parameters:
**InFile** - string, mandatory - The file to be signed. This should be a file of the types described in description above (.bin).
**OutFile** - string, mandatory - The output file that should be generated by the signing process. If this file already exists, it will be overwritten.
> [!NOTE]
> Create the folder first.
**NoTimestamp** - switch, optional - If present, the signing operation will skip timestamping the output file, and it will be signed only. If not present (default) and TimeStamperUrl presents, the output file will be both signed and timestamped. If both NoTimestamp and TimeStamperUrl not present, the signing operation will skip timestamping the output file, and it will be signed only.
**TimeStamperUrl** - string, optional - If this value is invalid Url (and NoTimestamp not present), the module will throw exception. To understand more about timestamping, refer to [Timestamping](/windows/msix/package/signing-package-overview#timestamping).
**JobDescription** - string, optional - A short (< 100 chars), human-readable description of this submission. If the script is being called as part of an automated build process the agent may wish to pass a version number or changeset number for this field. This information will be provided as part of the results of the Get-SigningHistory command.
- Command running time:
The average running time is under 20 seconds but may be up to 3 minutes.
**Common parameters [.. common ..]**
In addition to cmdlet-specific parameters, each cmdlet understands the following common parameters.
- Usage:
```powershell
... [-NoPrompt] [-Credential $creds] [-AppId AppId] [-Verbose]
```
- Parameters:
**NoPrompt** - switch, optional - If present, indicates that the script is running in a headless
environment and that all UI should be suppressed. If UI must be displayed (e.g., for
authentication) when the switch is set, the operation will instead fail.
**Credential + AppId** - PSCredential - A login credential (username and password) and AppId.
## File and size limits
When you're uploading files for Device Guard signing, there are a few limits for files and file size:
@ -63,7 +188,7 @@ When you're uploading files for Device Guard signing, there are a few limits for
| Maximum size for multiple files (uploaded in a group) | 4 MB |
| Maximum number of files per upload | 15 files |
## File types
## File types
Catalog and policy files have required files types.
| File | Required file type |
@ -71,7 +196,7 @@ Catalog and policy files have required files types.
| catalog files | .cat |
| policy files | .bin |
## Store for Business roles and permissions
## Store for Business roles and permissions
Signing code integrity policies and access to Device Guard portal requires the Device Guard signer role.
## Device Guard signing certificates

1
store-for-business/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/microsoft-store/breadcrumb/toc.json",
"ms.author": "trudyha",
"audience": "ITPro",

1
windows/access-protection/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"audience": "ITPro",

1
windows/application-management/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

1
windows/client-management/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

34
windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
View File

@ -1,6 +1,6 @@
---
title: Bulk enrollment
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10.
description: Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and Windows 11.
MS-HAID:
- 'p\_phdevicemgmt.bulk\_enrollment'
- 'p\_phDeviceMgmt.bulk\_enrollment\_using\_Windows\_provisioning\_tool'
@ -18,7 +18,7 @@ ms.date: 06/26/2017
# Bulk enrollment
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 desktop and mobile devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
Bulk enrollment is an efficient way to set up a large number of devices to be managed by an MDM server without the need to re-image the devices. In Windows 10 and 11 desktop devices, you can use the [Provisioning CSP](provisioning-csp.md) for bulk enrollment, except for the Azure Active Directory Join (Cloud Domain Join) enrollment scenario.
## Typical use cases
@ -37,27 +37,29 @@ On the desktop and mobile devices, you can use an enrollment certificate or enro
> - Bulk enrollment does not work in Intune standalone environment.
> - Bulk enrollment works in Microsoft Endpoint Manager where the ppkg is generated from the Configuration Manager console.
> - To change bulk enrollment settings, login to **AAD**, then **Devices**, and then click **Device Settings**. Change the number under **Maximum number of devices per user**.
> - Bulk Token creation is not supported with federated accounts.
## What you need
- Windows 10 devices
- Windows Imaging and Configuration Designer (ICD) tool
To get the ICD tool, download the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). For more information about the ICD tool, see [Windows Imaging and Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows ICD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.)
- Windows 10 devices.
- Windows Configuration Designer (WCD) tool.
To get the WCD tool, download from the [Microsoft Store](https://www.microsoft.com/store/productId/9NBLGGH4TX22). For more information about the WCD tool, see [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-install-icd) and [Getting started with Windows WCD](/windows/configuration/provisioning-packages/provisioning-install-icd).
- Enrollment credentials (domain account for enrollment, generic enrollment credentials for MDM, enrollment certificate for MDM.).
- Wi-Fi credentials, computer name scheme, and anything else required by your organization.
Some organizations require custom APNs to be provisioned before talking to the enrollment endpoint or custom VPN to join a domain.
## Create and apply a provisioning package for on-premises authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
![icd start page](images/bulk-enrollment7.png)
3. Enter a project name and click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows 10 editions, then click **Next**.
4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Expand **Runtime settings** &gt; **Workplace**.
7. Click **Enrollments**, enter a value in **UPN**, and then click **Add**.
@ -70,8 +72,9 @@ Using the ICD, create a provisioning package using the enrollment information re
- **PolicyServiceFullUrl** - Optional and in most cases, it should be left blank.
- **Secret** - Password
For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
Here is the screenshot of the ICD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
Here is the screenshot of the WCD at this point.
![bulk enrollment screenshot](images/bulk-enrollment.png)
9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
10. When you are done adding all the settings, on the **File** menu, click **Save**.
11. On the main menu click **Export** &gt; **Provisioning package**.
@ -90,12 +93,12 @@ Using the ICD, create a provisioning package using the enrollment information re
## Create and apply a provisioning package for certificate authentication
Using the ICD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
Using the WCD, create a provisioning package using the enrollment information required by your organization. Ensure that you have all the configuration settings.
1. Open the Windows ICD tool (by default, %windir%\\Program Files (x86)\\Windows Kits\\10\\Assessment and Deployment Kit\\Imaging and Configuration Designer\\x86\\ICD.exe).
1. Open the WCD tool.
2. Click **Advanced Provisioning**.
3. Enter a project name and click **Next**.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows 10 editions.
4. Select **Common to all Windows editions**, since Provisioning CSP is common to all Windows editions.
5. Skip **Import a provisioning package (optional)** and click **Finish**.
6. Specify the certificate.
1. Go to **Runtime settings** &gt; **Certificates** &gt; **ClientCertificates**.
@ -129,8 +132,7 @@ Using the ICD, create a provisioning package using the enrollment information re
Here's the list of topics about applying a provisioning package:
- [Apply a package on the first-run setup screen (out-of-the-box experience)](/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment#apply-package) - topic in Technet.
- [Apply a package to a Windows 10 desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package to a Windows 10 Mobile image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_mobile_image) - topic in MSDN.
- [Apply a package to a Windows desktop edition image](/windows/configuration/provisioning-packages/provisioning-create-package#to_apply_a_provisioning_package_to_a_desktop_image) - topic in MSDN
- [Apply a package from the Settings menu](#apply-a-package-from-the-settings-menu) - topic below
## Apply a package from the Settings menu

180
windows/client-management/mdm/defender-csp.md
View File

@ -35,6 +35,18 @@ Defender
------------InitialDetectionTime
------------LastThreatStatusChangeTime
------------NumberOfDetections
----EnableNetworkProtection
--------AllowNetworkProtectionDownLevel
--------AllowNetworkProtectionOnWinServer
--------DisableNetworkProtectionPerfTelemetry
--------DisableDatagramProcessing
--------DisableInboundConnectionFiltering
--------EnableDnsSinkhole
--------DisableDnsOverTcpParsing
--------DisableHttpParsing
--------DisableRdpParsing
--------DisableSshParsing
--------DisableTlsParsing
----Health
--------ProductStatus (Added in Windows 10 version 1809)
--------ComputerState
@ -125,7 +137,7 @@ The following table describes the supported values:
| 7 | Remote access Trojan |
| 8 | Trojan |
| 9 | Email flooder |
| 10 | Keylogger |
| 10 | Key logger |
| 11 | Dialer |
| 12 | Monitoring software |
| 13 | Browser modifier |
@ -185,7 +197,28 @@ The following list shows the supported values:
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
- 10 = No Status ( Cleared)
- 10 = No Status (Cleared)
Supported operation is Get.
<a href="" id="detections-threatid-currentstatus"></a>**Detections/*ThreatId*/CurrentStatus**
Information about the current status of the threat.
The data type is integer.
The following list shows the supported values:
- 0 = Active
- 1 = Action failed
- 2 = Manual steps required
- 3 = Full scan required
- 4 = Reboot required
- 5 = Remediated with noncritical failures
- 6 = Quarantined
- 7 = Removed
- 8 = Cleaned
- 9 = Allowed
- 10 = No Status (Cleared)
Supported operation is Get.
@ -217,6 +250,139 @@ The data type is integer.
Supported operation is Get.
<a href="" id="enablenetworkprotection"></a>**EnableNetworkProtection**
The Network Protection Service is a network filter that helps to protect you against web-based malicious threats, including phishing and malware. The Network Protection service contacts the SmartScreen URL reputation service to validate the safety of connections to web resources.
The acceptable values for this parameter are:
- 0: Disabled. The Network Protection service will not block navigation to malicious websites, or contact the SmartScreen URL reputation service. It will still send connection metadata to the antimalware engine if behavior monitoring is enabled, to enhance AV Detections.
- 1: Enabled. The Network Protection service will block connections to malicious websites based on URL Reputation from the SmartScreen URL reputation service.
- 2: AuditMode. As above, but the Network Protection service will not block connections to malicious websites, but will instead log the access to the event log.
Accepted values: Disabled, Enabled, and AuditMode
Position: Named
Default value: Disabled
Accept pipeline input: False
Accept wildcard characters: False
<a href="" id="enablenetworkprotection-allownetworkprotectiondownlevel"></a>**EnableNetworkProtection/AllowNetworkProtectionDownLevel**
By default, network protection is not allowed to be enabled on Windows versions before 1709, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-allownetworkprotectiononwinserver"></a>**EnableNetworkProtection/AllowNetworkProtectionOnWinServer**
By default, network protection is not allowed to be enabled on Windows Server, regardless of the setting of the EnableNetworkProtection configuration. Set this configuration to "$true" to override that behavior and allow Network Protection to be set to Enabled or Audit Mode.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablenetworkprotectionperftelemetry"></a>**EnableNetworkProtection/DisableNetworkProtectionPerfTelemetry**
Network Protection sends up anonymized performance statistics about its connection monitoring to improve our product and help to find bugs. You can disable this behavior by setting this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disabledatagramprocessing"></a>**EnableNetworkProtection/DisableDatagramProcessing**
Network Protection inspects UDP connections allowing us to find malicious DNS or other UDP Traffic. To disable this functionality, set this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disableinboundconnectionfiltering"></a>**EnableNetworkProtection/DisableInboundConnectionFiltering**
Network Protection inspects and can block both connections that originate from the host machine, as well as those that originates from outside the machine. To have network connection to inspect only outbound connections, set this configuration to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-enablednssinkhole"></a>**EnableNetworkProtection/EnableDnsSinkhole**
Network Protection can inspect the DNS traffic of a machine and, in conjunction with behavior monitoring, detect and sink hole DNS exfiltration attempts and other DNS based malicious attacks. Set this configuration to "$true" to enable this feature.
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablednsovertcpparsing"></a>**EnableNetworkProtection/DisableDnsOverTcpParsing**
Network Protection inspects DNS traffic that occurs over a TCP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablednsparsing"></a>**EnableNetworkProtection/DisableDnsParsing**
Network Protection inspects DNS traffic that occurs over a UDP channel, to provide metadata for Anti-malware Behavior Monitoring or to allow for DNS sink holing if the -EnableDnsSinkhole configuration is set. This can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablehttpparsing"></a>**EnableNetworkProtection/DisableHttpParsing**
Network Protection inspects HTTP traffic to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. HTTP connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablerdpparsing"></a>**EnableNetworkProtection/DisableRdpParsing**
Network Protection inspects RDP traffic so that it can block connections from known malicious hosts if -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. RDP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disablesshparsing"></a>**EnableNetworkProtection/DisableSshParsing**
Network Protection inspects SSH traffic, so that it can block connections from known malicious hosts. If -EnableNetworkProtection is set to be enabled, and to provide metadata to behavior monitoring. SSH inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="enablenetworkprotection-disabletlsparsing"></a>**EnableNetworkProtection/DisableTlsParsing**
Network Protection inspects TLS traffic (also known as HTTPS traffic) to see if a connection is being made to a malicious website, and to provide metadata to Behavior Monitoring. TLS connections to malicious websites can also be blocked if -EnableNetworkProtection is set to enabled. HTTP inspection can be disabled by setting this value to "$true".
- Type: Boolean
- Position: Named
- Default value: False
- Accept pipeline input: False
- Accept wildcard characters: False
<a href="" id="health"></a>**Health**
An interior node to group information about Windows Defender health status.
@ -248,7 +414,7 @@ Supported product status values:
- Service is shutting down as part of system shutdown = 1 << 16
- Threat remediation failed critically = 1 << 17
- Threat remediation failed non-critically = 1 << 18
- No status flags set (well initialized state) = 1 << 19
- No status flags set (well-initialized state) = 1 << 19
- Platform is out of date = 1 << 20
- Platform update is in progress = 1 << 21
- Platform is about to be outdated = 1 << 22
@ -552,7 +718,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@ -581,7 +747,7 @@ Beta Channel: Devices set to this channel will be the first to receive new updat
Current Channel (Preview): Devices set to this channel will be offered updates earliest during the monthly gradual release cycle. Suggested for pre-production/validation environments.
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested to apply to a small, representative part of your production population (~10%).
Current Channel (Staged): Devices will be offered updates after the monthly gradual release cycle. Suggested applying to a small, representative part of your production population (~10%).
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@ -637,8 +803,8 @@ The data type is integer.
Supported operations are Add, Delete, Get, Replace.
Valid values are:
1 Enabled.
0 (default) Not Configured.
- 1 Enabled.
- 0 (default) Not Configured.
More details:

4
windows/client-management/mdm/index.md
View File

@ -28,8 +28,6 @@ Third-party MDM servers can manage Windows 10 by using the MDM protocol. The bu
With Windows 10, version 1809, Microsoft is also releasing a Microsoft MDM security baseline that functions like the Microsoft GP-based security baseline. You can easily integrate this baseline into any MDM to support IT pros operational needs, addressing security concerns for modern cloud-managed devices.
> [!NOTE]
>Intune support for the MDM security baseline is coming soon.
The MDM security baseline includes policies that cover the following areas:
@ -48,7 +46,7 @@ For more details about the MDM policies defined in the MDM security baseline and
- [MDM Security baseline for Windows 10, version 1809](https://download.microsoft.com/download/2/C/4/2C418EC7-31E0-4A74-8928-6DCD512F9A46/1809-MDM-SecurityBaseLine-Document-[Preview].zip)
For information about the MDM policies defined in the Intune security baseline public preview, see [Windows security baseline settings for Intune](/intune/security-baseline-settings-windows).
For information about the MDM policies defined in the Intune security baseline, see [Windows security baseline settings for Intune](/mem/intune/protect/security-baseline-settings-mdm-all).
<span id="mmat" />

3
windows/client-management/mdm/policies-in-policy-csp-supported-by-surface-hub.md
View File

@ -66,6 +66,9 @@ ms.date: 07/22/2020
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](policy-csp-deliveryoptimization.md#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](policy-csp-desktop.md#desktop-preventuserredirectionofprofilefolders)
- [RestrictedGroups/ConfigureGroupMembership](policy-csp-restrictedgroups.md)
- [System/AllowLocation](policy-csp-system.md#system-allowlocation)
- [System/AllowStorageCard](policy-csp-system.md#system-allowstoragecard)
- [System/AllowTelemetry](policy-csp-system.md#system-allowtelemetry)
- [TextInput/AllowIMELogging](policy-csp-textinput.md#textinput-allowimelogging)
- [TextInput/AllowIMENetworkAccess](policy-csp-textinput.md#textinput-allowimenetworkaccess)
- [TextInput/AllowInputPanel](policy-csp-textinput.md#textinput-allowinputpanel)

1
windows/configuration/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

1
windows/configure/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"hideEdit": true,
"_op_documentIdPathDepotMapping": {

1
windows/deploy/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-deploy",

228
windows/deployment/TOC.yml
View File

@ -273,7 +273,7 @@
href: upgrade/windows-10-upgrade-paths.md
- name: Deploy Windows 10 with Microsoft 365
href: deploy-m365.md
- name: Understanding the Unified Update Platform
- name: Understand the Unified Update Platform
href: update/windows-update-overview.md
- name: Servicing stack updates
href: update/servicing-stack-updates.md
@ -321,57 +321,69 @@
- name: Active Directory-Based Activation Overview
href: volume-activation/active-directory-based-activation-overview.md
- name: Install and Configure VAMT
href: volume-activation/install-configure-vamt.md
- name: VAMT Requirements
href: volume-activation/vamt-requirements.md
- name: Install VAMT
href: volume-activation/install-vamt.md
- name: Configure Client Computers
href: volume-activation/configure-client-computers-vamt.md
items:
- name: Overview
href: volume-activation/install-configure-vamt.md
- name: VAMT Requirements
href: volume-activation/vamt-requirements.md
- name: Install VAMT
href: volume-activation/install-vamt.md
- name: Configure Client Computers
href: volume-activation/configure-client-computers-vamt.md
- name: Add and Manage Products
href: volume-activation/add-manage-products-vamt.md
- name: Add and Remove Computers
href: volume-activation/add-remove-computers-vamt.md
- name: Update Product Status
href: volume-activation/update-product-status-vamt.md
- name: Remove Products
href: volume-activation/remove-products-vamt.md
items:
- name: Overview
href: volume-activation/add-manage-products-vamt.md
- name: Add and Remove Computers
href: volume-activation/add-remove-computers-vamt.md
- name: Update Product Status
href: volume-activation/update-product-status-vamt.md
- name: Remove Products
href: volume-activation/remove-products-vamt.md
- name: Manage Product Keys
href: volume-activation/manage-product-keys-vamt.md
- name: Add and Remove a Product Key
href: volume-activation/add-remove-product-key-vamt.md
- name: Install a Product Key
href: volume-activation/install-product-key-vamt.md
- name: Install a KMS Client Key
href: volume-activation/install-kms-client-key-vamt.md
items:
- name: Overview
href: volume-activation/manage-product-keys-vamt.md
- name: Add and Remove a Product Key
href: volume-activation/add-remove-product-key-vamt.md
- name: Install a Product Key
href: volume-activation/install-product-key-vamt.md
- name: Install a KMS Client Key
href: volume-activation/install-kms-client-key-vamt.md
- name: Manage Activations
href: volume-activation/manage-activations-vamt.md
- name: Perform Online Activation
href: volume-activation/online-activation-vamt.md
- name: Perform Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- name: Perform KMS Activation
href: volume-activation/kms-activation-vamt.md
- name: Perform Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
- name: Activate by Proxy an Active Directory Forest
href: volume-activation/activate-forest-by-proxy-vamt.md
items:
- name: Overview
href: volume-activation/manage-activations-vamt.md
- name: Run Online Activation
href: volume-activation/online-activation-vamt.md
- name: Run Proxy Activation
href: volume-activation/proxy-activation-vamt.md
- name: Run KMS Activation
href: volume-activation/kms-activation-vamt.md
- name: Run Local Reactivation
href: volume-activation/local-reactivation-vamt.md
- name: Activate an Active Directory Forest Online
href: volume-activation/activate-forest-vamt.md
- name: Activate by Proxy an Active Directory Forest
href: volume-activation/activate-forest-by-proxy-vamt.md
- name: Manage VAMT Data
href: volume-activation/manage-vamt-data.md
- name: Import and Export VAMT Data
href: volume-activation/import-export-vamt-data.md
- name: Use VAMT in Windows PowerShell
href: volume-activation/use-vamt-in-windows-powershell.md
items:
- name: Overview
href: volume-activation/manage-vamt-data.md
- name: Import and Export VAMT Data
href: volume-activation/import-export-vamt-data.md
- name: Use VAMT in Windows PowerShell
href: volume-activation/use-vamt-in-windows-powershell.md
- name: VAMT Step-by-Step Scenarios
href: volume-activation/vamt-step-by-step.md
- name: "Scenario 1: Online Activation"
href: volume-activation/scenario-online-activation-vamt.md
- name: "Scenario 2: Proxy Activation"
href: volume-activation/scenario-proxy-activation-vamt.md
- name: "Scenario 3: KMS Client Activation"
href: volume-activation/scenario-kms-activation-vamt.md
items:
- name: Overview
href: volume-activation/vamt-step-by-step.md
- name: "Scenario 1: Online Activation"
href: volume-activation/scenario-online-activation-vamt.md
- name: "Scenario 2: Proxy Activation"
href: volume-activation/scenario-proxy-activation-vamt.md
- name: "Scenario 3: KMS Client Activation"
href: volume-activation/scenario-kms-activation-vamt.md
- name: VAMT Known Issues
href: volume-activation/vamt-known-issues.md
@ -486,67 +498,75 @@
- name: Application Compatibility Toolkit (ACT) Technical Reference
items:
- name: SUA User's Guide
href: planning/sua-users-guide.md
- name: Using the SUA Wizard
href: planning/using-the-sua-wizard.md
- name: Using the SUA Tool
href: planning/using-the-sua-tool.md
- name: Tabs on the SUA Tool Interface
href: planning/tabs-on-the-sua-tool-interface.md
- name: Showing Messages Generated by the SUA Tool
href: planning/showing-messages-generated-by-the-sua-tool.md
- name: Applying Filters to Data in the SUA Tool
href: planning/applying-filters-to-data-in-the-sua-tool.md
- name: Fixing Applications by Using the SUA Tool
href: planning/fixing-applications-by-using-the-sua-tool.md
items:
- name: Overview
href: planning/sua-users-guide.md
- name: Use the SUA Wizard
href: planning/using-the-sua-wizard.md
- name: Use the SUA Tool
href: planning/using-the-sua-tool.md
- name: Tabs on the SUA Tool Interface
href: planning/tabs-on-the-sua-tool-interface.md
- name: Show Messages Generated by the SUA Tool
href: planning/showing-messages-generated-by-the-sua-tool.md
- name: Apply Filters to Data in the SUA Tool
href: planning/applying-filters-to-data-in-the-sua-tool.md
- name: Fix apps using the SUA Tool
href: planning/fixing-applications-by-using-the-sua-tool.md
- name: Compatibility Fixes for Windows 10, Windows 8, Windows 7, and Windows Vista
href: planning/compatibility-fixes-for-windows-8-windows-7-and-windows-vista.md
- name: Compatibility Administrator User's Guide
href: planning/compatibility-administrator-users-guide.md
- name: Using the Compatibility Administrator Tool
href: planning/using-the-compatibility-administrator-tool.md
- name: Available Data Types and Operators in Compatibility Administrator
href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- name: Searching for Fixed Applications in Compatibility Administrator
href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- name: Searching for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- name: Creating a Custom Compatibility Fix in Compatibility Administrator
href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- name: Creating a Custom Compatibility Mode in Compatibility Administrator
href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- name: Creating an AppHelp Message in Compatibility Administrator
href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- name: Viewing the Events Screen in Compatibility Administrator
href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- name: Enabling and Disabling Compatibility Fixes in Compatibility Administrator
href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- name: Installing and Uninstalling Custom Compatibility Databases in Compatibility Administrator
href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- name: Managing Application-Compatibility Fixes and Custom Fix Databases
href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- name: Understanding and Using Compatibility Fixes
href: planning/understanding-and-using-compatibility-fixes.md
- name: Compatibility Fix Database Management Strategies and Deployment
href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- name: Testing Your Application Mitigation Packages
href: planning/testing-your-application-mitigation-packages.md
- name: Using the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
items:
- name: Overview
href: planning/compatibility-administrator-users-guide.md
- name: Use the Compatibility Administrator Tool
href: planning/using-the-compatibility-administrator-tool.md
- name: Available Data Types and Operators in Compatibility Administrator
href: planning/available-data-types-and-operators-in-compatibility-administrator.md
- name: Search for Fixed Applications in Compatibility Administrator
href: planning/searching-for-fixed-applications-in-compatibility-administrator.md
- name: Search for Installed Compatibility Fixes with the Query Tool in Compatibility Administrator
href: planning/searching-for-installed-compatibility-fixes-with-the-query-tool-in-compatibility-administrator.md
- name: Create a Custom Compatibility Fix in Compatibility Administrator
href: planning/creating-a-custom-compatibility-fix-in-compatibility-administrator.md
- name: Create a Custom Compatibility Mode in Compatibility Administrator
href: planning/creating-a-custom-compatibility-mode-in-compatibility-administrator.md
- name: Create an AppHelp Message in Compatibility Administrator
href: planning/creating-an-apphelp-message-in-compatibility-administrator.md
- name: View the Events Screen in Compatibility Administrator
href: planning/viewing-the-events-screen-in-compatibility-administrator.md
- name: Enable and Disable Compatibility Fixes in Compatibility Administrator
href: planning/enabling-and-disabling-compatibility-fixes-in-compatibility-administrator.md
- name: Install and Uninstall Custom Compatibility Databases in Compatibility Administrator
href: planning/installing-and-uninstalling-custom-compatibility-databases-in-compatibility-administrator.md
- name: Manage Application-Compatibility Fixes and Custom Fix Databases
items:
- name: Overview
href: planning/managing-application-compatibility-fixes-and-custom-fix-databases.md
- name: Understand and Use Compatibility Fixes
href: planning/understanding-and-using-compatibility-fixes.md
- name: Compatibility Fix Database Management Strategies and Deployment
href: planning/compatibility-fix-database-management-strategies-and-deployment.md
- name: Test Your Application Mitigation Packages
href: planning/testing-your-application-mitigation-packages.md
- name: Use the Sdbinst.exe Command-Line Tool
href: planning/using-the-sdbinstexe-command-line-tool.md
- name: Volume Activation
href: volume-activation/volume-activation-windows-10.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- name: Monitor activation
href: volume-activation/monitor-activation-client.md
- name: Use the Volume Activation Management Tool
href: volume-activation/use-the-volume-activation-management-tool-client.md
items:
- name: Overview
href: volume-activation/volume-activation-windows-10.md
- name: Plan for volume activation
href: volume-activation/plan-for-volume-activation-client.md
- name: Activate using Key Management Service
href: volume-activation/activate-using-key-management-service-vamt.md
- name: Activate using Active Directory-based activation
href: volume-activation/activate-using-active-directory-based-activation-client.md
- name: Activate clients running Windows 10
href: volume-activation/activate-windows-10-clients-vamt.md
- name: Monitor activation
href: volume-activation/monitor-activation-client.md
- name: Use the Volume Activation Management Tool
href: volume-activation/use-the-volume-activation-management-tool-client.md
- name: "Appendix: Information sent to Microsoft during activation "
href: volume-activation/appendix-information-sent-to-microsoft-during-activation-client.md

1
windows/deployment/docfx.json
View File

@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

1
windows/device-security/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
windows/docfx.json
View File

@ -14,6 +14,7 @@
}
],
"globalMetadata": {
"recommendations": true,
"ROBOTS": "INDEX, FOLLOW",
"audience": "ITPro",
"breadcrumb_path": "/itpro/windows/breadcrumb/toc.json",

1
windows/eulas/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/eulas/breadcrumb/toc.json",
"extendBreadcrumb": true,
"feedback_system": "None",

1
windows/hub/docfx.json
View File

@ -34,6 +34,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"audience": "ITPro",
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",

1
windows/keep-secure/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"feedback_system": "None",
"_op_documentIdPathDepotMapping": {
"./": {

1
windows/known-issues/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"feedback_system": "GitHub",
"feedback_github_repo": "MicrosoftDocs/windows-itpro-docs",

1
windows/manage/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-manage",

1
windows/plan/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-plan",

1
windows/privacy/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.technology": "windows",

1
windows/release-information/docfx.json
View File

@ -35,6 +35,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/release-information/breadcrumb/toc.json",
"ms.prod": "w10",
"ms.date": "4/30/2019",

1
windows/security/docfx.json
View File

@ -33,6 +33,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",

5
windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
View File

@ -679,6 +679,11 @@ Sign-in a workstation with access equivalent to a _domain user_.
10. Select **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)** from the **Key storage provider (KSP)** list.
11. Next to **Subject name format**, type **CN={{OnPrem_Distinguished_Name}}** to make the on-premises distinguished name the subject of the issued certificate.
> [!NOTE]
> If the distinguished name contains special characters like a plus sign ("+"), comma (","), semicolon (";"), or equal sign ("="), the bracketed name must be enclosed in quotation marks: CN=”{{OnPrem_Distinguished_Name}}”.
> If the length of the distinguished name is more than 64 characters, the name length enforcement on the Certification Authority [must be disabled](/previous-versions/windows/it-pro/windows-server-2003/cc784789(v=ws.10)?#disable-dn-length-enforcement).
12. Specify **User Principal Name (UPN)** as a **Subject Alternative Name** parameter. Set its value as {{UserPrincipalName}}.
13. Refer to the "Configure Certificate Templates on NDES" task for how you configured the **AADJ WHFB Authentication** certificate template in the registry. Select the appropriate combination of key usages from the **Key Usages** list that map to the configured NDES template in the registry. In this example, the **AADJ WHFB Authentication** certificate template was added to the **SignatureTemplate** registry value name. The **Key usage** that maps to that registry value name is **Digital Signature**.
14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.

3
windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
View File

@ -17,7 +17,8 @@ ms.technology: mde
# Enable virtualization-based protection of code integrity
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10.
Some applications, including device drivers, may be incompatible with HVCI.

3
windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
View File

@ -18,7 +18,8 @@ ms.technology: mde
# Baseline protections and additional qualifications for virtualization-based protection of code integrity
**Applies to** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.

2
windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
View File

@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- Windows 10
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.

2
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml
View File

@ -17,7 +17,7 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.

2
windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
View File

@ -18,7 +18,7 @@ ms.technology: mde
# Prepare to install Microsoft Defender Application Guard
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- - Windows 10
## Review system requirements

3
windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
View File

@ -17,7 +17,8 @@ ms.technology: mde
# Microsoft Defender Application Guard overview
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.

5
windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
View File

@ -1,5 +1,5 @@
---
title: System requirements for Microsoft Defender Application Guard (Windows 10)
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: m365-security
ms.mktglfcycl: manage
@ -17,7 +17,8 @@ ms.technology: mde
# System requirements for Microsoft Defender Application Guard
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
**Applies to**
- Windows 10
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.

2
windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
View File

@ -19,7 +19,7 @@ ms.technology: mde
**Applies to:**
- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/)
- Windows 10
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.

26
windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md
View File

@ -86,6 +86,32 @@ To enable 3090 allow events, and 3091 and 3092 events, you must instead create a
reg add hklm\system\currentcontrolset\control\ci -v TestFlags -t REG_DWORD -d 0x300
```
## System Integrity Policy Options
The WDAC policy rule-option values can be derived from the "Options" field in the Details section of the Code integrity 3099 event. To parse the values, first convert the hex value to binary. Next, use the bit addresses and their values from the table below to determine the state of each [policy rule-option](/select-types-of-rules-to-create#table-1-windows-defender-application-control-policy---rule-options).
| Bit Address | Policy Rule Option |
|-------|------|
| 2 | `Enabled:UMCI` |
| 3 | `Enabled:Boot Menu Protection` |
| 4 | `Enabled:Intelligent Security Graph Authorization` |
| 5 | `Enabled:Invalidate EAs on Reboot` |
| 7 | `Required:WHQL` |
| 10 | `Enabled:Allow Supplemental Policies` |
| 11 | `Disabled:Runtime FilePath Rule Protection` |
| 13 | `Enabled:Revoked Expired As Unsigned` |
| 16 | `Enabled:Audit Mode (Default)` |
| 17 | `Disabled:Flight Signing` |
| 18 | `Enabled:Inherit Default Policy` |
| 19 | `Enabled:Unsigned System Integrity Policy (Default)` |
| 20 | `Enabled:Dynamic Code Security` |
| 21 | `Required:EV Signers` |
| 22 | `Enabled:Boot Audit on Failure` |
| 23 | `Enabled:Advanced Boot Options Menu` |
| 24 | `Disabled:Script Enforcement` |
| 25 | `Required:Enforce Store Applications` |
| 27 | `Enabled:Managed Installer` |
| 28 | `Enabled:Update Policy No Reboot` |
## Appendix
A list of other relevant event IDs and their corresponding description.

1
windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
View File

@ -70,6 +70,7 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
| **17 Enabled:Allow Supplemental Policies** | Use this option on a base policy to allow supplemental policies to expand it. NOTE: This option is only supported on Windows 10, version 1903, and above. | No |
| **18 Disabled:Runtime FilePath Rule Protection** | This option disables the default runtime check that only allows FilePath rules for paths that are only writable by an administrator. NOTE: This option is only supported on Windows 10, version 1903, and above. | Yes |
| **19 Enabled:Dynamic Code Security** | Enables policy enforcement for .NET applications and dynamically loaded libraries. NOTE: This option is only supported on Windows 10, version 1803, and above. | No |
| **20 Enabled:Revoked Expired As Unsigned** | Use this option to treat binaries signed with expired and/or revoked certificates as "Unsigned binaries" for user-mode process/components under enterprise signing scenarios. | No |
## Windows Defender Application Control file rule levels

1
windows/threat-protection/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"ms.technology": "windows",
"ms.topic": "article",

1
windows/update/docfx.json
View File

@ -31,6 +31,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"_op_documentIdPathDepotMapping": {
"./": {
"depot_name": "MSDN.windows-update",

1
windows/whats-new/docfx.json
View File

@ -32,6 +32,7 @@
"overwrite": [],
"externalReference": [],
"globalMetadata": {
"recommendations": true,
"breadcrumb_path": "/windows/windows-10/breadcrumb/toc.json",
"uhfHeaderId": "MSDocsHeader-M365-IT",
"ms.topic": "article",