From b56593cebea82935ccd06883cea9646c5ce6edd6 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Tue, 22 Jun 2021 10:48:28 -0700 Subject: [PATCH 01/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...system-components-to-microsoft-services.md | 42 +++++++------------ 1 file changed, 14 insertions(+), 28 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 822869ba60..f9382b3938 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -604,34 +604,20 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| -| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SearchSuggestEnabled Set to 0** | -| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillAddressEnabled Set to 0** | -| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: AutofillCreditCardEnabled Set to 0** | -| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: ConfigureDoNotTrack Set to 1** | -| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: PasswordManagerEnabled Set to 0** | -| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: DefaultSearchProviderEnabled Set to 0** | -| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled**| **REG_DWORD name: HideFirstRunExperience Set to 1** | -| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: SmartScreenEnabled Set to 0** | -| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Enabled-Value “about:blank”**| **REG_SZ name: NewTabPageLocation Set to about:blank** | -| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge | -| | **Set to Disabled**| **REG_DWORD name: RestoreOnStartup Set to 5** | -| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs | -| | **Set to Disabled**| **REG_SZ name: 1 Set to about:blank** | -| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - 'Updates disabled'**| **REG_DWORD name: UpdateDefault Set to 0** | -| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to Enabled - Set Value for Minutes between update checks to 0**| **REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0** | -| **Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate | -| | **Set to RestrictedMode**| **REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0** | +| **SearchSuggestEnabled** | Computer Configuration/Administrative Templates/Windows Component/Microsoft Edge - Enable search suggestions
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SearchSuggestEnabled Set to 0**| +| **AutofillAddressEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for addresses
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillAddressEnabled Set to 0**| +| **AutofillCreditCardEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Enable AutoFill for credit cards
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: AutofillCreditCardEnabled Set to 0**| +| **ConfigureDoNotTrack** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge - Configure Do Not Track
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: ConfigureDoNotTrack Set to 1** | +| **PasswordManagerEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Password manager and protection-Enable saving passwords to the password manager
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: PasswordManagerEnabled Set to 0**| +| **DefaultSearchProviderEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Default search provider-Enable the default search provider
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: DefaultSearchProviderEnabled Set to 0**| +| **HideFirstRunExperience** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Hide the First-run experience and splash screen
**Set to Enabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: HideFirstRunExperience Set to 1**| +| **SmartScreenEnabled** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/SmartScreen settings-Configure Microsoft Defender SmartScreen
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: SmartScreenEnabled Set to 0**| +| **NewTabPageLocation** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Configure the new tab page URL
**Set to Enabled-Value “about:blank”**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_SZ name: NewTabPageLocation Set to about:blank**| +| **RestoreOnStartup** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Action to take on startup
**Set to Disabled** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge
**REG_DWORD name: RestoreOnStartup Set to 5**| +| **RestoreOnStartupURLs** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge/Startup, home page and new tab page- Sites to open when the browser starts
**Set to Disabled**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\RestoreOnStartupURLs
**REG_SZ name: 1 Set to about:blank**| +| **UpdateDefault** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Applications-Update policy override default
**Set to Enabled - 'Updates disabled'** | HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: UpdateDefault Set to 0**| +| **AutoUpdateCheckPeriodMinutes** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to Enabled - Set Value for Minutes between update checks to 0**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: AutoUpdateCheckPeriodMinutes Set to 0**| +|**Experimentation and Configuration Service** | Computer Configurations/Administrative Templates/Windows Component/Microsoft Edge Update/Preferences- Auto-update check period override
**Set to RestrictedMode**| HKEY_LOCAL_MACHINE \SOFTWARE\Policies\Microsoft\Edge\EdgeUpdate
**REG_DWORD name: ExperimentationAndConfigurationServiceControl Set to 0**| ||| ### 14. Network Connection Status Indicator From 632d4d4b2e038cdc35f91db05f400eb21831feb8 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:29:55 -0700 Subject: [PATCH 02/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Replaced Windows Defender with Microsoft Defender Antivirus and added a GP section for Cloud Clipboard --- ...system-components-to-microsoft-services.md | 68 ++++++++++++------- 1 file changed, 42 insertions(+), 26 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 1dec9ad720..d046271409 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -27,13 +27,13 @@ ms.date: 5/21/2021 This article describes the network connections that Windows 10 components make to Microsoft and the Windows Settings, Group Policies and registry settings available to IT Professionals to help manage the data shared with Microsoft. If you want to minimize connections from Windows to Microsoft services, or configure privacy settings, there are a number of settings for consideration. For example, you can configure diagnostic data to the lowest level for your edition of Windows and evaluate other connections Windows makes to Microsoft services you want to turn off using the instructions in this article. While it is possible to minimize network connections to Microsoft, there are many reasons why these communications are enabled by default, such as updating malware definitions and maintaining current certificate revocation lists. This data helps us deliver a secure, reliable, and up-to-date experience. -Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Windows Defender are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. +Microsoft provides a [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887) package that will allow your organization to quickly configure the settings covered in this document to restrict connections from Windows 10 to Microsoft. The Windows Restricted Traffic Limited Baseline is based on [Group Policy Administrative Template](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) functionality and the package you download contains further instructions on how to deploy to devices in your organization. Since some of the settings can reduce the functionality and security configuration of your device, **before deploying Windows Restricted Traffic Limited Functionality Baseline** make sure you **choose the right settings configuration for your environment** and **ensure that Windows and Microsoft Defender Antivirus are fully up to date**. Failure to do so may result in errors or unexpected behavior. You should not extract this package to the windows\system32 folder because it will not apply correctly. > [!IMPORTANT] > - The downloadable Windows 10, version 1903 scripts/settings can be used on Windows 10, version 1909 devices. > - The Allowed Traffic endpoints are listed here: [Allowed Traffic](#bkmk-allowedtraffic) > - CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) network traffic cannot be disabled and will still show up in network traces. CRL and OCSP checks are made to the issuing certificate authorities. Microsoft is one of these authorities. There are many others such as DigiCert, Thawte, Google, Symantec, and VeriSign. -> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Windows Defender. Accordingly, we do not recommend disabling any of these features. +> - For security reasons, it is important to take care in deciding which settings to configure as some of them may result in a less secure device. Examples of settings that can lead to a less secure device configuration include: Windows Update, Automatic Root Certificates Update, and Microsoft Defender Antivirus. Accordingly, we do not recommend disabling any of these features. > - It is recommended that you restart a device after making configuration changes to it. > - The **Get Help** and **Give us Feedback** links no longer work after the Windows Restricted Traffic Limited Functionality Baseline is applied. @@ -48,7 +48,7 @@ We are always striving to improve our documentation and welcome your feedback. Y ## Management options for each setting -The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections +The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Microsoft Defender Antivirus diagnostic data and MSRT reporting, and turn off all of these connections ### Settings for Windows 10 Enterprise edition @@ -103,7 +103,7 @@ The following table lists management options for each setting, beginning with Wi | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -131,7 +131,7 @@ See the following table for a summary of the management settings for Windows Ser | [18. Settings > Privacy](#bkmk-settingssection) | | | | | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -148,7 +148,7 @@ See the following table for a summary of the management settings for Windows Ser | [14. Network Connection Status Indicator](#bkmk-ncsi) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [19. Software Protection Platform](#bkmk-spp) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 Nano Server @@ -213,7 +213,7 @@ See the following table for a summary of the management settings for Windows Ser | [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [24. Windows Defender](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | @@ -291,7 +291,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -423,7 +423,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Windows Defender SmartScreen | Choose whether employees can manage the Windows Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -432,7 +432,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Windows Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -567,7 +567,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Windows Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -583,7 +583,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -594,13 +594,13 @@ For a complete list of the Microsoft Edge policies, see [Available policies for ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). > [!Important] -> - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). -> - Devices must be domain joined for some of the policies to take effect. +> - The following settings are applicable to Microsoft Edge version 77 or later. +> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | |----------------------------------|--------------------|---------------------------------------------| @@ -913,7 +913,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Windows Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1616,13 +1616,13 @@ To turn off **Connect to suggested open hotspots** and **Connect to networks sha When turned off, the Wi-Fi Sense settings still appear on the Wi-Fi Settings screen, but they’re non-functional and they can’t be controlled by the employee. -### 24. Windows Defender +### 24. Microsoft Defender Antivirus You can disconnect from the Microsoft Antimalware Protection Service. > [!IMPORTANT] -> **Required Steps BEFORE setting the Windows Defender Group Policy or RegKey on Windows 10 version 1903** -> 1. Ensure Windows and Windows Defender are fully up to date. +> **Required Steps BEFORE setting the Microsoft Defender Antivirus Group Policy or RegKey on Windows 10 version 1903** +> 1. Ensure Windows and Microsoft Defender Antivirus are fully up to date. > 2. Search the Start menu for "Tamper Protection" by clicking on the search icon next to the Windows Start button. Then scroll down to the Tamper Protection toggle and turn it **Off**. This will allow you to modify the Registry key and allow the Group Policy to make the setting. Alternatively, you can go to **Windows Security Settings -> Virus & threat protection, click on Manage Settings** link and then scroll down to the Tamper Protection toggle to set it to **Off**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **MAPS** > **Join Microsoft MAPS** and then select **Disabled** from the drop-down box named **Join Microsoft MAPS** @@ -1687,21 +1687,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Windows Defender SmartScreen +### 24.1 Microsoft Defender Antivirus SmartScreen -To disable Windows Defender SmartScreen: +To disable Microsoft Defender Antivirus SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- @@ -1930,6 +1930,22 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre - Add a REG_DWORD value named **HapDownloadEnabled** to **HKEY_LOCAL_MACHINE\\Software\\Microsoft\\LexiconUpdate\\loc_0804** and set the **value to 0 (zero)**. +### 30. Cloud Clipboard + +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. + +Most restricted value is 0. + +ADMX Info: + +- GP English name: Allow Clipboard synchronization across devices
+- GP name: AllowCrossDeviceClipboard
+- GP path: System/OS Policies
+- GP ADMX file name: OSPolicy.admx
+ +The following list shows the supported values:
+0 – Not allowed. 1 (default) – Allowed.
+ ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 730d0f752c3ed9916cb428f8c13931e30862f9a3 Mon Sep 17 00:00:00 2001 From: Tom Layson <83308464+TomLayson@users.noreply.github.com> Date: Thu, 24 Jun 2021 10:53:50 -0700 Subject: [PATCH 03/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md Added Services Config section and Menu links. --- ...erating-system-components-to-microsoft-services.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index d046271409..a66e8d0a3a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -109,6 +109,8 @@ The following table lists management options for each setting, beginning with Wi | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ### Settings for Windows Server 2016 with Desktop Experience @@ -219,6 +221,8 @@ See the following table for a summary of the management settings for Windows Ser | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | | [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) | | +| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ## How to configure each setting @@ -1946,6 +1950,13 @@ ADMX Info: The following list shows the supported values:
0 – Not allowed. 1 (default) – Allowed.
+### 31. Services Configuration + +Services Configuration is used by Windows components and apps, such as the telemetry service, to dynamically update their configuration. If you turn off this service, apps using this service may stop working. + +You can turn off Services Configuration by setting the following registry entries: + +Add a REG_DWORD value named **DisableOneSettingsDownloads** to **HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\DataCollection** and set the value to **1**. ### Allowed traffic list for Windows Restricted Traffic Limited Functionality Baseline From 7ea8c78d51c31642b527fccf283cb9b4a12f6eb9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Fri, 25 Jun 2021 07:25:19 +0530 Subject: [PATCH 04/44] removed symbols and pre word. as per user report #9717 . so I removed special symbols nas pre word . --- windows/deployment/windows-10-subscription-activation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index 6861d74931..dfb7ea6b10 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -197,7 +197,7 @@ You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, a To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer: ```console -cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 +cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43 ``` The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro. @@ -280,4 +280,4 @@ Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscr [Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file +[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
From 425f096d8d91f3562919cbe29bcb985d4d8b1e6c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 28 Jun 2021 18:34:23 +0530 Subject: [PATCH 05/44] corrected link as per user report issue #9742, so i corrected the link. all event ids 560, 562 , ....... all comes under **audit object access** --- .../audit-audit-the-access-of-global-system-objects.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4015f85f3f..55abcdd744 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -79,7 +79,7 @@ All auditing capabilities are integrated in Group Policy. You can configure, dep To audit attempts to access global system objects, you can use one of two security audit policy settings: - [Audit Kernel Object](../auditing/audit-kernel-object.md) in Advanced Security Audit Policy Settings\\Object Access -- [Audit object access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy +- [Audit Object Access](../auditing/basic-audit-object-access.md) under Security Settings\\Local Policies\\Audit Policy If possible, use the Advanced Security Audit Policy option to reduce the number of unrelated audit events that you generate. @@ -92,7 +92,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | 4661 | A handle to an object was requested. | | 4663 | An attempt was made to access an object. | -If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is configured, the following events are generated: +If the [Audit Object Access](../auditing/basic-audit-object-access.md) setting is configured, the following events are generated: | Event ID | Event message | | - | - | From 87b9f5377dcd60cc32db75e6c80bf096cfdf0728 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 09:31:40 +0530 Subject: [PATCH 06/44] removed invalid link , added correct link as per user report issue #9747 , so I added correct link and removed invalid link --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 89776f9222..9de7a6f1c2 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -87,4 +87,4 @@ The table below lists the supported configurations for remotely connecting to an ## Related topics -[How to use Remote Desktop](https://support.microsoft.com/instantanswers/ff521c86-2803-4bc0-a5da-7df445788eb9/how-to-use-remote-desktop) \ No newline at end of file +[How to use Remote Desktop](https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) From 4991d4fcf561c25e7dce64ef278f213db686ca64 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 10:46:21 +0100 Subject: [PATCH 07/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...perating-system-components-to-microsoft-services.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 2e5dcae25d..e4aef3529a 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -295,7 +295,7 @@ You can also apply the Group Policies using the following registry keys: > [!IMPORTANT] > Using the Group Policy editor these steps are required for all supported versions of Windows 10, however they are not required for devices running Windows 10, version 1607 or Windows Server 2016. -1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Microsoft Defender Antivirus Firewall with Advanced Security** > **Microsoft Defender Antivirus Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. +1. Expand **Computer Configuration** > **Windows Settings** > **Security Settings** > **Windows Defender Firewall with Advanced Security** > **Windows Defender Firewall with Advanced Security - <LDAP name>**, and then click **Outbound Rules**. 2. Right-click **Outbound Rules**, and then click **New Rule**. The **New Outbound Rule Wizard** starts. @@ -427,7 +427,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | Choose whether an employee can configure enhanced suggestions, which are presented to the employee as they type in the Address Bar.
**Set Value to: Disabled**| | Turn off the auto-complete feature for web addresses | Choose whether auto-complete suggests possible matches when employees are typing web address in the Address Bar.
**Set Value to: Enabled**
You can also turn this off in the UI by clearing the Internet Options > **Advanced** > **Use inline AutoComplete in the Internet Explorer Address Bar and Open Dialog** check box.| | Turn off browser geolocation | Choose whether websites can request location data from Internet Explorer.
**Set Value to: Enabled**| -| Prevent managing Microsoft Defender Antivirus SmartScreen | Choose whether employees can manage the Microsoft Defender Antivirus SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Microsoft Defender Antivirus SmartScreen mode** to **Off**.| +| Prevent managing Microsoft Defender SmartScreen | Choose whether employees can manage the Microsoft Defender SmartScreen in Internet Explorer.
**Set Value to: Enabled** and then set **Select Windows Defender SmartScreen mode** to **Off**.| | Registry Key | Registry path | @@ -436,7 +436,7 @@ To turn off Insider Preview builds for Windows 10: | Allow Microsoft services to provide enhanced suggestions as the user types in the Address Bar | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer
REG_DWORD: AllowServicePoweredQSA
**Set Value to: 0**| | Turn off the auto-complete feature for web addresses |HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\CurrentVersion\\Explorer\\AutoComplete
REG_SZ: AutoSuggest
Set Value to: **no** | | Turn off browser geolocation | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\Geolocation
REG_DWORD: PolicyDisableGeolocation
**Set Value to: 1** | -| Prevent managing Microsoft Defender Antivirus SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | +| Prevent managing Microsoft Defender SmartScreen | HKLM\\SOFTWARE\\Policies\\Microsoft\\Internet Explorer\\PhishingFilter
REG_DWORD: EnabledV9
**Set Value to: 0** | There are more Group Policy objects that are used by Internet Explorer: @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender Antivirus SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender Antivirus SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| From 7c1681a7cd620e9ac8eee39d242d162a951e8ec0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:08:19 +0100 Subject: [PATCH 08/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ng-system-components-to-microsoft-services.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index e4aef3529a..da8ed579e1 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -573,7 +573,7 @@ Find the Microsoft Edge Group Policy objects under **Computer Configuration** &g | Configure Do Not Track | Choose whether employees can send Do Not Track headers.
**Set to Enabled** | | Configure Password Manager | Choose whether employees can save passwords locally on their devices.
**Set to Disabled** | | Configure search suggestions in Address Bar | Choose whether the Address Bar shows search suggestions.
**Set to Disabled** | -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | Choose whether Microsoft Defender SmartScreen is turned on or off.
**Set to Disabled** | | Allow web content on New Tab page | Choose whether a new tab page appears.
**Set to Disabled** | | Configure Start pages | Choose the Start page for domain-joined devices.
**Enabled** and **Set this to <>** | | Prevent the First Run webpage from opening on Microsoft Edge | Choose whether employees see the First Run webpage.
**Set to: Enable** | @@ -589,7 +589,7 @@ Alternatively, you can configure the following Registry keys as described: | Configure Do Not Track | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: DoNotTrack
REG_DWORD: **1** | | Configure Password Manager | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_SZ name: FormSuggest Passwords
REG_SZ: **No** | | Configure search suggestions in Address Bar | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\SearchScopes
REG_DWORD name: ShowSearchSuggestionsGlobal
Value: **0**| -| Configure Microsoft Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | +| Configure Windows Defender SmartScreen (Windows 10, version 1703) | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\PhishingFilter
REG_DWORD name: EnabledV9
Value: **0** | | Allow web content on New Tab page | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\ServiceUI
REG_DWORD name: AllowWebContentOnNewTabPage
Value: **0** | | Configure corporate Home pages | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Internet Settings
REG_SZ name: ProvisionedHomePages
Value: **<>**| | Prevent the First Run webpage from opening on Microsoft Edge | HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\MicrosoftEdge\\Main
REG_DWORD name: PreventFirstRunPage
Value: **1**| @@ -917,7 +917,7 @@ To turn off **Let apps use my advertising ID for experiences across apps (turnin - Create a REG_DWORD registry setting named **DisabledByGroupPolicy** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AdvertisingInfo** with a value of 1 (one). -To turn off **Turn on Microsoft Defender Antivirus SmartScreen to check web content (URLs) that Microsoft Store apps use**: +To turn off **Turn on Microsoft Defender SmartScreen to check web content (URLs) that Microsoft Store apps use**: - Turn off the feature in the UI. @@ -1691,21 +1691,21 @@ You can turn off **Enhanced Notifications** as follows: - Create a new REG_DWORD registry setting named **DisableEnhancedNotifications** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Reporting** and enter the decimal value **1**. -### 24.1 Microsoft Defender Antivirus SmartScreen +### 24.1 Microsoft Defender SmartScreen -To disable Microsoft Defender Antivirus SmartScreen: +To disable Microsoft Defender SmartScreen: In Group Policy, configure: -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure Microsoft Defender Antivirus SmartScreen** to be **Disabled** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure Windows Defender SmartScreen** to be **Disabled** -and- -- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Microsoft Defender Antivirus SmartScreen** : **Disable** +- **Computer Configuration > Administrative Templates > Windows Components > File Explorer > Configure Windows Defender SmartScreen** : **Disable** -and- -- **Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** +- **Computer Configuration > Administrative Templates > Windows Components > Windows Defender SmartScreen > Explorer > Configure app install control** : **Enable**, and select **Turn off app recommendations** -OR- From 54678d570858669b6ca439c703746fb1b8b40e1c Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Tue, 29 Jun 2021 11:21:30 +0100 Subject: [PATCH 09/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index da8ed579e1..fcadb6f4e3 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -1936,7 +1936,7 @@ For China releases of Windows 10 there is one additional Regkey to be set to pre ### 30. Cloud Clipboard -Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access. Also, when this is allowed, a new clipboard item on the cloud is downloaded to a device so that user can paste on the device. +Specifies whether clipboard items roam across devices. When this is allowed, an item copied to the clipboard is uploaded to the cloud so that other devices can access it. Clipboard items in the cloud can be downloaded and pasted across your Windows 10 devices. Most restricted value is 0. From a2b22b9e83bfaab9faf72a0098df0be3f622455c Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 17:41:56 +0530 Subject: [PATCH 10/44] typo correction as per user report issue #9750 , so I corrected word --- .../bitlocker/bitlocker-network-unlock-faq.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml index 17c1035e0b..10287fc220 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml +++ b/windows/security/information-protection/bitlocker/bitlocker-network-unlock-faq.yml @@ -35,6 +35,6 @@ sections: BitLocker Network Unlock has software and hardware requirements for both client computers, Windows Deployment services, and domain controllers that must be met before you can use it. Network Unlock uses two protectors, the TPM protector and the one provided by the network or by your PIN, whereas automatic unlock uses a single protector, the one stored in the TPM. If the computer is joined to a network without the key protector it will prompt you to enter your PIN. If the PIN is - not available you will need to use the recovery key to unlock the computer if it can ot be connected to the network. + not available you will need to use the recovery key to unlock the computer if it can not be connected to the network. For more info, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). From 0cff94693ae41c30ebb1b4924655ccdb51cd2942 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 29 Jun 2021 19:17:31 +0530 Subject: [PATCH 11/44] Update windows/client-management/connect-to-remote-aadj-pc.md thanks for pointing out. Today I forgotted to remove localisation. Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- windows/client-management/connect-to-remote-aadj-pc.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index 9de7a6f1c2..275869bf99 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -87,4 +87,4 @@ The table below lists the supported configurations for remotely connecting to an ## Related topics -[How to use Remote Desktop](https://support.microsoft.com/en-us/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) +[How to use Remote Desktop](https://support.microsoft.com/windows/how-to-use-remote-desktop-5fe128d5-8fb1-7a23-3b8a-41e636865e8c) From 931d5be5a65a7fbcb72d4c60a47169e82f46a617 Mon Sep 17 00:00:00 2001 From: Saurabh Koshta Date: Tue, 29 Jun 2021 11:51:33 -0500 Subject: [PATCH 12/44] Update bitlocker-csp.md https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5707 greg-lindsay commented on Dec 18, 2019 @lXbalanque I understand the issue :) I've confirmed that the MDM stack (Intune profile settings) currently supports only used space encryption. You can probably see that by going through all the settings that you've shown above. There is no available choice for "encrypt entire drive" or "full encryption" even though there are a lot of other settings. --- windows/client-management/mdm/bitlocker-csp.md | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index f19bba4d59..e9bd144485 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -172,6 +172,10 @@ If you want to disable this policy, use the following SyncML: ``` + +> [!NOTE] +> Currently only used space encryption is supported when using this CSP. + **EncryptionMethodByDriveType** @@ -1405,4 +1409,4 @@ The following example is provided to show proper format and should not be taken ``` - \ No newline at end of file + From 3fc77d46d66876d7ac2db48b7372f9fcf1f8c665 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 13:21:18 -0700 Subject: [PATCH 13/44] fix link --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 54e1400de4..368dd33786 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements] (https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). From 64bd2ba149bd2ea66a52a83cecf73dfe73ed1d92 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 29 Jun 2021 13:29:24 -0700 Subject: [PATCH 14/44] udpate tree --- windows/client-management/mdm/euiccs-csp.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/windows/client-management/mdm/euiccs-csp.md b/windows/client-management/mdm/euiccs-csp.md index 9ce12f6be8..97ae6b939f 100644 --- a/windows/client-management/mdm/euiccs-csp.md +++ b/windows/client-management/mdm/euiccs-csp.md @@ -25,6 +25,10 @@ eUICCs --------IsActive --------PPR1Allowed --------PPR1AlreadySet +--------DownloadServers +------------ServerName +----------------DiscoveryState +----------------AutoEnable --------Profiles ------------ICCID ----------------ServerName From 4ff59a54710e1006b8474d21a7b9fc2885be990a Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 13:31:11 -0700 Subject: [PATCH 15/44] formatting --- windows/whats-new/windows-11-requirements.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 368dd33786..c6338640b5 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,9 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). + +Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). For information about tools to evaluate readiness, see [Determine eligibility](windows-11-plan.md#determine-eligibility). From 4b4f05d4f15dde1f5cae5e6c1db484e294da31b2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 13:58:01 -0700 Subject: [PATCH 16/44] Acrolinx "Multi-factor" --- windows/deployment/windows-10-subscription-activation.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index dfb7ea6b10..f2dbfeb5b5 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -103,9 +103,9 @@ For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 E If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/) -#### Multi-factor authentication +#### Multifactor authentication -An issue has been identified with Hybrid Azure AD joined devices that have enabled [multi-factor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. +An issue has been identified with Hybrid Azure AD joined devices that have enabled [multifactor authentication](/azure/active-directory/authentication/howto-mfa-getstarted) (MFA). If a user signs into a device using their Active Directory account and MFA is enabled, the device will not successfully upgrade to their Windows Enterprise subscription. To resolve this issue: From 17bdc36489d8f7199805cd308bb83c89acaf83fa Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 13:59:33 -0700 Subject: [PATCH 17/44] Corrected note markup, spacing, punctuation --- windows/deployment/windows-10-subscription-activation.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md index f2dbfeb5b5..af4d82ad1b 100644 --- a/windows/deployment/windows-10-subscription-activation.md +++ b/windows/deployment/windows-10-subscription-activation.md @@ -226,7 +226,8 @@ When you have the required Azure AD subscription, group-based licensing is the p If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise. -Caution: Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE(Out Of Box Experience) +> [!CAUTION] +> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience). If you are using Windows 10, version 1607, 1703, or 1709 and have already deployed Windows 10 Enterprise, but you want to move away from depending on KMS servers and MAK keys for Windows client machines, you can seamlessly transition as long as the computer has been activated with a firmware-embedded Windows 10 Pro product key. From bbcb845f9e40aecc8d7abd57782d42440a53f689 Mon Sep 17 00:00:00 2001 From: lmqferreira Date: Tue, 29 Jun 2021 22:10:14 +0100 Subject: [PATCH 18/44] Update hello-hybrid-cert-whfb-settings-pki.md fixed typo on group name --- .../hello-for-business/hello-hybrid-cert-whfb-settings-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md index 25a3d96332..98cb3003ec 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md @@ -193,7 +193,7 @@ Sign-in to a certificate authority or management workstation with _Domain Admin 10. On the **Request Handling** tab, select the **Renew with same key** check box. -11. On the **Security** tab, click **Add**. Type **Window Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. +11. On the **Security** tab, click **Add**. Type **Windows Hello for Business Users** in the **Enter the object names to select** text box and click **OK**. 12. Click the **Windows Hello for Business Users** from the **Group or users names** list. In the **Permissions for Windows Hello for Business Users** section, select the **Allow** check box for the **Read**, **Enroll**, and **AutoEnroll** permissions. Excluding the **Windows Hello for Business Users** group, clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**. From 644c15d06715e50ec31d0bccbd36c68ec8cf5c96 Mon Sep 17 00:00:00 2001 From: JackD Date: Tue, 29 Jun 2021 17:25:25 -0400 Subject: [PATCH 19/44] Add link to CSP in alignment with above CSPs Link missing to CSP documentation similar to other CSPs listed above. --- .../deployment/update/update-compliance-configuration-manual.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 10b6032442..e15c04a0eb 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -47,7 +47,7 @@ Each MDM Policy links to its documentation in the CSP hierarchy, providing its e |**System/**[**AllowTelemetry**](/windows/client-management/mdm/policy-csp-system#system-allowtelemetry) |Integer | 1 - Basic |Configures the maximum allowed diagnostic data to be sent to Microsoft. Individual users can still set this value lower than what the policy defines. For more information, see the following policy. | |**System/**[**ConfigureTelemetryOptInSettingsUx**](/windows/client-management/mdm/policy-csp-system#system-configuretelemetryoptinsettingsux) |Integer |1 - Disable Telemetry opt-in Settings | (in Windows 10, version 1803 and later) Determines whether users of the device can adjust diagnostic data to levels lower than the level defined by AllowTelemetry. We recommend that you disable this policy or the effective diagnostic data level on devices might not be sufficient. | |**System/**[**AllowDeviceNameInDiagnosticData**](/windows/client-management/mdm/policy-csp-system#system-allowdevicenameindiagnosticdata) |Integer | 1 - Allowed | Allows device name to be sent for Windows Diagnostic Data. If this policy is Not Configured or set to 0 (Disabled), Device Name will not be sent and will not be visible in Update Compliance, showing `#` instead. | -| **System/AllowUpdateComplianceProcessing** |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | +| **System/**[**AllowUpdateComplianceProcessing**](/windows/client-management/mdm/policy-csp-system#system-allowUpdateComplianceProcessing) |Integer | 16 - Allowed | Enables data flow through Update Compliance's data processing system and indicates a device's explicit enrollment to the service. | ### Group policies From 52aa9452f44e2eeb52338308e1ac2a3f3de9161f Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Tue, 29 Jun 2021 17:16:49 -0700 Subject: [PATCH 20/44] Acrolinx: 16 instances of "Bitlocker" --- .../client-management/mdm/bitlocker-csp.md | 32 +++++++++---------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/windows/client-management/mdm/bitlocker-csp.md b/windows/client-management/mdm/bitlocker-csp.md index e9bd144485..e3f6b2bd85 100644 --- a/windows/client-management/mdm/bitlocker-csp.md +++ b/windows/client-management/mdm/bitlocker-csp.md @@ -180,7 +180,7 @@ If you want to disable this policy, use the following SyncML: **EncryptionMethodByDriveType** -Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". +Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the BitLocker Group Policy "Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)". @@ -208,7 +208,7 @@ ADMX Info:
  • GP English name: Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)
  • GP name: EncryptionMethodWithXts_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption
    • +
  • GP path: Windows Components/BitLocker Drive Encryption
  • GP ADMX file name: VolumeEncryption.admx
@@ -264,7 +264,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRequireStartupAuthentication** -This setting is a direct mapping to the Bitlocker Group Policy "Require additional authentication at startup". +This setting is a direct mapping to the BitLocker Group Policy "Require additional authentication at startup".
@@ -293,7 +293,7 @@ ADMX Info:
  • GP English name: Require additional authentication at startup
  • GP name: ConfigureAdvancedStartup_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -372,7 +372,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesMinimumPINLength** -This setting is a direct mapping to the Bitlocker Group Policy "Configure minimum PIN length for startup". +This setting is a direct mapping to the BitLocker Group Policy "Configure minimum PIN length for startup".
@@ -401,7 +401,7 @@ ADMX Info:
  • GP English name:Configure minimum PIN length for startup
  • GP name: MinimumPINLength_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -448,7 +448,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryMessage** -This setting is a direct mapping to the Bitlocker Group Policy "Configure pre-boot recovery message and URL" +This setting is a direct mapping to the BitLocker Group Policy "Configure pre-boot recovery message and URL" (PrebootRecoveryInfo_Name). @@ -478,7 +478,7 @@ ADMX Info:
  • GP English name: Configure pre-boot recovery message and URL
  • GP name: PrebootRecoveryInfo_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -538,7 +538,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **SystemDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name). +This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected operating system drives can be recovered" (OSRecoveryUsage_Name).
@@ -567,7 +567,7 @@ ADMX Info:
  • GP English name: Choose how BitLocker-protected operating system drives can be recovered
  • GP name: OSRecoveryUsage_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Operating System Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Operating System Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -635,7 +635,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRecoveryOptions** -This setting is a direct mapping to the Bitlocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" (). +This setting is a direct mapping to the BitLocker Group Policy "Choose how BitLocker-protected fixed drives can be recovered" ().
@@ -664,7 +664,7 @@ ADMX Info:
  • GP English name: Choose how BitLocker-protected fixed drives can be recovered
  • GP name: FDVRecoveryUsage_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -741,7 +741,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **FixedDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name). +This setting is a direct mapping to the BitLocker Group Policy "Deny write access to fixed drives not protected by BitLocker" (FDVDenyWriteAccess_Name).
@@ -770,7 +770,7 @@ ADMX Info:
  • GP English name: Deny write access to fixed drives not protected by BitLocker
  • GP name: FDVDenyWriteAccess_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Fixed Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Fixed Drives
  • GP ADMX file name: VolumeEncryption.admx
@@ -810,7 +810,7 @@ Data type is string. Supported operations are Add, Get, Replace, and Delete. **RemovableDrivesRequireEncryption** -This setting is a direct mapping to the Bitlocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name). +This setting is a direct mapping to the BitLocker Group Policy "Deny write access to removable drives not protected by BitLocker" (RDVDenyWriteAccess_Name).
@@ -839,7 +839,7 @@ ADMX Info:
  • GP English name: Deny write access to removable drives not protected by BitLocker
  • GP name: RDVDenyWriteAccess_Name
    • -
  • GP path: Windows Components/Bitlocker Drive Encryption/Removeable Drives
    • +
  • GP path: Windows Components/BitLocker Drive Encryption/Removeable Drives
  • GP ADMX file name: VolumeEncryption.admx
From 6d8c5dd4bba6e9bf65ad57fd1ab0eb1fbef97b9c Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 23:16:30 -0700 Subject: [PATCH 21/44] title --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index c6338640b5..6f7a2364b6 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -38,7 +38,7 @@ To install or upgrade to Windows 11, devices must meet the following minimum har - Internet connection: Internet connectivity is necessary to perform updates, and to download and use some features. - Windows 11 Home edition requires an Internet connection and a Microsoft Account to complete device setup on first use. -\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Keeping Windows 11 up-to-date](https://www.microsoft.com/windows/windows-11-specifications). +\* There might be additional requirements over time for updates, and to enable specific features within the operating system. For more information, see [Windows 11 specifications](https://www.microsoft.com/windows/windows-11-specifications). Also see [Update on Windows 11 minimum system requirements](https://blogs.windows.com/windows-insider/2021/06/28/update-on-windows-11-minimum-system-requirements/). From 10aad7f0a310d68776dcfa95b9a4f9f490d8d854 Mon Sep 17 00:00:00 2001 From: greg-lindsay Date: Tue, 29 Jun 2021 23:20:49 -0700 Subject: [PATCH 22/44] fix title --- windows/whats-new/windows-11-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/whats-new/windows-11-requirements.md b/windows/whats-new/windows-11-requirements.md index 6f7a2364b6..aa0532e98d 100644 --- a/windows/whats-new/windows-11-requirements.md +++ b/windows/whats-new/windows-11-requirements.md @@ -19,7 +19,7 @@ ms.custom: seo-marvel-apr2020 **Applies to** -- Windows 11 +- Windows 11 This article lists the system requirements for Windows 11. Windows 11 is also supported on a virtual machine (VM). From 94a34870288fe792549bdf36e7cdd23aa80abc91 Mon Sep 17 00:00:00 2001 From: "Boris I. Bendovsky" Date: Wed, 30 Jun 2021 13:15:11 +0300 Subject: [PATCH 23/44] Fix typo --- windows/client-management/troubleshoot-tcpip-port-exhaust.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md index e41c64b649..ca8551b1dd 100644 --- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md +++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md @@ -90,7 +90,7 @@ If you suspect that the machine is in a state of port exhaustion: ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png) -3. Collect a `netstat -anob output` from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. +3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID. ![Screenshot of netstate command output](images/tcp-ts-20.png) @@ -196,4 +196,4 @@ goto loop - [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status -- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) \ No newline at end of file +- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10) From 1f240ce9030c321c989cf994b0f7f0ee66954b19 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 11:58:03 +0100 Subject: [PATCH 24/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index fcadb6f4e3..70fa555981 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see Microsoft Edge supported Operating Systems -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see Configure Microsoft Edge policy settings on Windows +> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From f29a09e44a93a349e7d59c8f75aab7761d9b0f1d Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 13:54:30 +0100 Subject: [PATCH 25/44] Update manage-connections-from-windows-operating-system-components-to-microsoft-services.md --- ...ndows-operating-system-components-to-microsoft-services.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 70fa555981..a92f1c32cf 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -602,8 +602,8 @@ For a complete list of the Microsoft Edge policies, see [Microsoft Edge and priv > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. -> - For details on supported Operating Systems see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). -> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). +> - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). +> - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). > - Devices must be domain joined for some of the policies to take effect. | Policy | Group Policy Path | Registry Path | From 4af1dd1bb58d923162ef3ed4bd2db31dd9b6f844 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:31:37 +0100 Subject: [PATCH 26/44] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a92f1c32cf..8e4e81d422 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -598,7 +598,7 @@ Alternatively, you can configure the following Registry keys as described: ### 13.2 Microsoft Edge Enterprise -For a complete list of the Microsoft Edge policies, see [Microsoft Edge and privacy: FAQ](https://docs.microsoft.com/en-us/microsoft-edge/deploy/available-policies). +For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). > [!Important] > - The following settings are applicable to Microsoft Edge version 77 or later. From a5b85c2178031c86399f6e13ecad3228660e91e0 Mon Sep 17 00:00:00 2001 From: Sinead O'Sullivan Date: Wed, 30 Jun 2021 14:35:00 +0100 Subject: [PATCH 27/44] Update windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- ...windows-operating-system-components-to-microsoft-services.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 8e4e81d422..189ace9071 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -600,7 +600,7 @@ Alternatively, you can configure the following Registry keys as described: For a complete list of the Microsoft Edge policies, see [Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge](/microsoft-edge/deploy/available-policies). -> [!Important] +> [!IMPORTANT] > - The following settings are applicable to Microsoft Edge version 77 or later. > - For details on supported Operating Systems, see [Microsoft Edge supported Operating Systems](/deployedge/microsoft-edge-supported-operating-systems). > - These policies require the Microsoft Edge administrative templates to be applied. For more information on administrative templates for Microsoft Edge, see [Configure Microsoft Edge policy settings on Windows](/deployedge/configure-microsoft-edge). From 16c3429dde3ae20c6df12d1880ccd6ca53a2f4d3 Mon Sep 17 00:00:00 2001 From: Brent Kendall Date: Wed, 30 Jun 2021 10:21:55 -0700 Subject: [PATCH 28/44] Update system-guard-secure-launch-and-smm-protection.md Clarified that some Intel fTPMs (technically "integrated" TPMs) are now supported. Intel has had an integrated hardware TPM in its CPUs for a while. It is not usually enabled on. They call it Platform Trust Technology or PTT, and it meets the TPM 2.0 spec. OEMs can use this PTT instead of a discrete TPM. The Core i5-10310U is one of these Comet Lake chips with PTT. --- .../system-guard-secure-launch-and-smm-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..161f4fd5cc 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -74,7 +74,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon|Description| |--------|-----------| |64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported.| +|Trusted Platform Module (TPM) 2.0|Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported, with the exception of Intel chips that support Platform Trust Technology (PTT), which is a type of integrated hardware TPM that meets the TPM 2.0 spec.| |Windows DMA Protection|Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them).| |SMM communication buffers| All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. | |SMM Page Tables| Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory).
Must NOT contain any mappings to code sections within EfiRuntimeServicesCode.
Must NOT have execute and write permissions for the same page
Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType.
BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. | @@ -94,4 +94,4 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic |Platform firmware update|System firmware is recommended to be updated via UpdateCapsule in Windows Update. | > [!NOTE] -> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). \ No newline at end of file +> For more details around AMD processors, see [Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10](https://www.microsoft.com/security/blog/2020/09/01/force-firmware-code-to-be-measured-and-attested-by-secure-launch-on-windows-10/). From a1f4a13defbba1e3dfcf717558f65b571115e66a Mon Sep 17 00:00:00 2001 From: mapalko Date: Wed, 30 Jun 2021 14:12:35 -0700 Subject: [PATCH 29/44] add note for hololens support --- windows/client-management/mdm/policy-csp-devicelock.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index 7ab4c6bf71..a77a4a7b4f 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. The default value is 1. The following list shows the supported values and actual enforced values: From b937fdf6257ab9c4d561a044765925497305407c Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 30 Jun 2021 15:15:40 -0700 Subject: [PATCH 30/44] =?UTF-8?q?Acrolinx/branding:=20"Hololens"=20=C3=97?= =?UTF-8?q?=202?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- windows/client-management/mdm/policy-csp-devicelock.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md index a77a4a7b4f..730e173e27 100644 --- a/windows/client-management/mdm/policy-csp-devicelock.md +++ b/windows/client-management/mdm/policy-csp-devicelock.md @@ -114,7 +114,7 @@ manager: dansimp > [!NOTE] -> Currently, this policy is supported only in HoloLens 2, Hololens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. +> Currently, this policy is supported only in HoloLens 2, HoloLens (1st gen) Commercial Suite, and HoloLens (1st gen) Development Edition. Specifies whether the user must input a PIN or password when the device resumes from an idle state. @@ -757,7 +757,7 @@ PIN enforces the following behavior for desktop and mobile devices: - 1 - Digits only - 2 - Digits and lowercase letters are required - 3 - Digits, lowercase letters, and uppercase letters are required. Not supported in desktop Microsoft accounts and domain accounts. -- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or Hololens. +- 4 - Digits, lowercase letters, uppercase letters, and special characters are required. Not supported in desktop or HoloLens. The default value is 1. The following list shows the supported values and actual enforced values: @@ -1128,4 +1128,4 @@ Footnotes: - 7 - Available in Windows 10, version 1909. - 8 - Available in Windows 10, version 2004. - \ No newline at end of file + From bbef9b3f23a7182467866c5df90bd7e1394425b6 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Wed, 30 Jun 2021 16:16:50 -0700 Subject: [PATCH 31/44] Update reqs-md-app-guard.md Removed reference to Internet Explorer as a system requirement --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 0c9b491dc5..44f32cf759 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions. | -|Browser|Microsoft Edge and Internet Explorer| +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 542eaaa383f9e87fcc1c2606bb8ffd70fcb8eb33 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 16:14:08 +0530 Subject: [PATCH 32/44] typo correction as per user report #9766, so i corrected the word from **changed** to **cached** --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index b22b8e05fe..18fe88ca82 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -92,7 +92,7 @@ Overwriting the administrator's password does not help the attacker access data Enable the **Network access: Do not allow storage of passwords and credentials for network authentication** setting. -To limit the number of changed domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. +To limit the number of cached domain credentials that are stored on the computer, set the **cachedlogonscount** registry entry. By default, the operating system caches the verifier for each unique user's ten most recent valid logons. This value can be set to any value between 0 and 50. By default, all versions of the Windows operating system remember 10 cached logons, except Windows Server 2008 and later, which are set at 25. When you try to log on to a domain from a Windows-based client device, and a domain controller is unavailable, you do not receive an error message. Therefore, you may not notice that you logged on with cached domain credentials. You can set a notification of logon that uses cached domain credentials with the ReportDC registry entry. From 27d7a9cd02f932d40e6a5e722d6671092f8117e4 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 18:01:38 +0530 Subject: [PATCH 33/44] Update windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md Co-authored-by: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 44f32cf759..18349a4197 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 6b4189fe304824b70c61b4681204524fb39eabd3 Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Thu, 1 Jul 2021 08:24:35 -0700 Subject: [PATCH 34/44] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 18349a4197..8bf5dfc2f6 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -40,6 +40,6 @@ Your environment needs the following software to run Microsoft Defender Applicat |Software|Description| |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition, version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | |Browser|Microsoft Edge| |Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| From 974b5a5b213a9aba86d1aae0b77b1efbb0ebdea9 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Thu, 1 Jul 2021 21:33:13 +0530 Subject: [PATCH 35/44] typo correction as per user report issue #9768 , so i corrected **sevices** to **services** Also i conformed this article is applies to Windows 11 too --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 610728b4d6..86e25cc2f6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -46,7 +46,7 @@ Membership in the local **Administrators** group, or equivalent, is the minimum 2. Click the **Services** tab, right-click **AppIDSvc**, and then click **Start Service**. 3. Verify that the status for the Application Identity service is **Running**. -Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Sevices snap-in. Try either of these methods instead: +Starting with Windows 10, the Application Identity service is now a protected process. Because of this, you can no longer manually set the service **Startup type** to **Automatic** by using the Services snap-in. Try either of these methods instead: - Open an elevated command prompt or PowerShell session and type: From 0c5bca15f4e3f1a61081ba329beb61a8572808a6 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:50:54 -0700 Subject: [PATCH 36/44] Update reqs-md-app-guard.md --- .../reqs-md-app-guard.md | 28 ++++++++++--------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 8bf5dfc2f6..6c335a409f 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -8,7 +8,7 @@ ms.pagetype: security ms.localizationpriority: medium author: denisebmsft ms.author: deniseb -ms.date: 02/11/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing > Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host. ## Hardware requirements -Your environment needs the following hardware to run Microsoft Defender Application Guard. -|Hardware|Description| +Your environment must have the following hardware to run Microsoft Defender Application Guard. + +| Hardware | Description | |--------|-----------| -|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| -|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| -|Hardware memory|Microsoft requires a minimum of 8GB RAM| -|Hard disk|5 GB free space, solid state disk (SSD) recommended| -|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended| +| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).| +| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**AND**

One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V | +| Hardware memory | Microsoft requires a minimum of 8GB RAM | +| Hard disk | 5 GB free space, solid state disk (SSD) recommended | +| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended | ## Software requirements -Your environment needs the following software to run Microsoft Defender Application Guard. -|Software|Description| + Your environment must have the following software to run Microsoft Defender Application Guard. + +| Software | Description | |--------|-----------| -|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | -|Browser|Microsoft Edge| -|Management system
(only for managed devices)|[Microsoft Intune](/intune/)

**-OR-**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**-OR-**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**-OR-**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.| +| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Browser | Microsoft Edge | +| Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. | From e34a92f88a10af53856b753b775b2bbca415266f Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:52:41 -0700 Subject: [PATCH 37/44] Update configure-the-application-identity-service.md --- .../applocker/configure-the-application-identity-service.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 86e25cc2f6..83c7422028 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/02/2018 +ms.date: 07/01/2021 ms.technology: mde --- From 24a79df6c5320bc8da53ba92af570b68a761d4db Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:53:39 -0700 Subject: [PATCH 38/44] Update network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md --- ...e-of-passwords-and-credentials-for-network-authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md index 18fe88ca82..8cdbdc9908 100644 --- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md +++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md @@ -14,7 +14,7 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 04/19/2017 +ms.date: 07/01/2021 ms.technology: mde --- From 7a6aac68889f4fc06748e6f110749369ee86acd2 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 09:55:20 -0700 Subject: [PATCH 39/44] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 161f4fd5cc..093a5713c8 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp From 65a9dbe20edd26f69af0083803c10263abfce039 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Thu, 1 Jul 2021 11:08:09 -0700 Subject: [PATCH 40/44] Update system-guard-secure-launch-and-smm-protection.md --- .../system-guard-secure-launch-and-smm-protection.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 570641d7b7..12930a5921 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -8,7 +8,7 @@ ms.sitesec: library ms.pagetype: security ms.localizationpriority: medium author: dansimp -ms.date: 12/28/2020 +ms.date: 07/01/2021 ms.reviewer: manager: dansimp ms.author: dansimp @@ -38,7 +38,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Configuration](images/secure-launch-group-policy.png) ### Windows Security Center @@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**. -![Windows Security Center](images/secure-launch-msinfo.png) +![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png) > [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs). From 62a35d4bd272e9f029889ccbac808b56d8637234 Mon Sep 17 00:00:00 2001 From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com> Date: Thu, 1 Jul 2021 11:28:16 -0700 Subject: [PATCH 41/44] Update defender-csp.md @denisebmsft some additions --- windows/client-management/mdm/defender-csp.md | 44 ++++++++++++++++--- 1 file changed, 39 insertions(+), 5 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 97561119e4..15b3e6a372 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -62,6 +62,7 @@ Defender --------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) --------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release) +--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release) ----Scan ----UpdateSignature ----OfflineScan (Added in Windows 10 version 1803) @@ -524,8 +525,7 @@ More details: - [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data) - [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -**Configuration/PlatformUpdatesChannel** - +**Configuration/PlatformUpdatesChannel** Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. @@ -549,8 +549,12 @@ Valid values are: - 3: Current Channel (Staged) - 4: Current Channel (Broad) -**Configuration/EngineUpdatesChannel** +More details: +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/EngineUpdatesChannel** Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout. Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices. @@ -574,8 +578,12 @@ Valid values are: - 3 - Current Channel (Staged) - 4 - Current Channel (Broad) -**Configuration/SignaturesUpdatesChannel** +More details: +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/DefinitionUpdatesChannel** Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout. Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%). @@ -590,6 +598,32 @@ Valid Values are: - 3: Current Channel (Staged) - 4: Current Channel (Broad) +More details: + +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + +**Configuration/DisableGradualRelease** +Enable this policy to disable gradual rollout of monthly and daily Defender updates. +Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates. + +Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. + +If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. + +The data type is integer. + +Supported operations are Add, Delete, Get, Replace. + +Valid values are: +• 1 – Enabled. +• 0 (default) – Not Configured. + +More details: + +- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout) +- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) + **Scan** Node that can be used to start a Windows Defender scan on a device. @@ -611,4 +645,4 @@ Supported operations are Get and Execute. ## Related topics -[Configuration service provider reference](configuration-service-provider-reference.md) \ No newline at end of file +[Configuration service provider reference](configuration-service-provider-reference.md) From d35efcdadfc0bee35b3d35eb9dff74abff3c12a5 Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Thu, 1 Jul 2021 11:50:54 -0700 Subject: [PATCH 42/44] Update defender-csp.md --- windows/client-management/mdm/defender-csp.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md index 15b3e6a372..c66d28ae30 100644 --- a/windows/client-management/mdm/defender-csp.md +++ b/windows/client-management/mdm/defender-csp.md @@ -604,10 +604,11 @@ More details: - [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates) **Configuration/DisableGradualRelease** -Enable this policy to disable gradual rollout of monthly and daily Defender updates. -Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates. +Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates. +Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates. -Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates. +> [!NOTE] +> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates. If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices. From c2ce37df79e3beb031ad86a038b38be6d6ac11ad Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Thu, 1 Jul 2021 15:19:56 -0700 Subject: [PATCH 43/44] Fix broken note The asterisks were rendered in preview. --- .../audit-audit-the-access-of-global-system-objects.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md index 4015f85f3f..9f9a154800 100644 --- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md +++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md @@ -98,7 +98,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf | - | - | | 560 | Access was granted to an already existing object. | | 562 | A handle to an object was closed. | -| 563 | An attempt was made to open an object with the intent to delete it.
**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | +| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() | | 564 | A protected object was deleted. | | 565 | Access was granted to an already existing object type. | | 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. | From 67223e7719814809d217487105a21aaf2d6250dd Mon Sep 17 00:00:00 2001 From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com> Date: Fri, 2 Jul 2021 09:36:53 -0700 Subject: [PATCH 44/44] Update reqs-md-app-guard.md --- .../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md index 6c335a409f..a54f8667cd 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md @@ -42,6 +42,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl | Software | Description | |--------|-----------| -| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | +| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. | | Browser | Microsoft Edge | | Management system
(only for managed devices)| [Microsoft Intune](/intune/)

**OR**

[Microsoft Endpoint Configuration Manager](/configmgr/)

**OR**

[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))

**OR**

Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |