Date: Thu, 1 Jul 2021 09:50:54 -0700
Subject: [PATCH 36/44] Update reqs-md-app-guard.md
---
.../reqs-md-app-guard.md | 28 ++++++++++---------
1 file changed, 15 insertions(+), 13 deletions(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 8bf5dfc2f6..6c335a409f 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
-ms.date: 02/11/2020
+ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@@ -25,21 +25,23 @@ The threat landscape is continually evolving. While hackers are busy developing
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
-Your environment needs the following hardware to run Microsoft Defender Application Guard.
-|Hardware|Description|
+Your environment must have the following hardware to run Microsoft Defender Application Guard.
+
+| Hardware | Description |
|--------|-----------|
-|64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
-|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_
**-AND-**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**-OR-**
AMD-V|
-|Hardware memory|Microsoft requires a minimum of 8GB RAM|
-|Hard disk|5 GB free space, solid state disk (SSD) recommended|
-|Input/Output Memory Management Unit (IOMMU) support|Not required, but strongly recommended|
+| 64-bit CPU|A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
+| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_ **AND**
One of the following virtualization extensions for VBS:
VT-x (Intel)
**OR**
AMD-V |
+| Hardware memory | Microsoft requires a minimum of 8GB RAM |
+| Hard disk | 5 GB free space, solid state disk (SSD) recommended |
+| Input/Output Memory Management Unit (IOMMU) support| Not required, but strongly recommended |
## Software requirements
-Your environment needs the following software to run Microsoft Defender Application Guard.
-|Software|Description|
+ Your environment must have the following software to run Microsoft Defender Application Guard.
+
+| Software | Description |
|--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
-|Browser|Microsoft Edge|
-|Management system
(only for managed devices)|[Microsoft Intune](/intune/)
**-OR-**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**-OR-**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**-OR-**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|
+| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
+| Browser | Microsoft Edge |
+| Management system
(only for managed devices)| [Microsoft Intune](/intune/)
**OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |
From e34a92f88a10af53856b753b775b2bbca415266f Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 1 Jul 2021 09:52:41 -0700
Subject: [PATCH 37/44] Update configure-the-application-identity-service.md
---
.../applocker/configure-the-application-identity-service.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
index 86e25cc2f6..83c7422028 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/02/2018
+ms.date: 07/01/2021
ms.technology: mde
---
From 24a79df6c5320bc8da53ba92af570b68a761d4db Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 1 Jul 2021 09:53:39 -0700
Subject: [PATCH 38/44] Update
network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
---
...e-of-passwords-and-credentials-for-network-authentication.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
index 18fe88ca82..8cdbdc9908 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md
@@ -14,7 +14,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 07/01/2021
ms.technology: mde
---
From 7a6aac68889f4fc06748e6f110749369ee86acd2 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 1 Jul 2021 09:55:20 -0700
Subject: [PATCH 39/44] Update system-guard-secure-launch-and-smm-protection.md
---
.../system-guard-secure-launch-and-smm-protection.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 161f4fd5cc..093a5713c8 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 12/28/2020
+ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
From 65a9dbe20edd26f69af0083803c10263abfce039 Mon Sep 17 00:00:00 2001
From: Denise Vangel-MSFT
Date: Thu, 1 Jul 2021 11:08:09 -0700
Subject: [PATCH 40/44] Update system-guard-secure-launch-and-smm-protection.md
---
.../system-guard-secure-launch-and-smm-protection.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 570641d7b7..12930a5921 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -8,7 +8,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 12/28/2020
+ms.date: 07/01/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -38,7 +38,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
- 
+ 
### Windows Security Center
@@ -64,7 +64,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
-
+
> [!NOTE]
> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
From 62a35d4bd272e9f029889ccbac808b56d8637234 Mon Sep 17 00:00:00 2001
From: Paul Huijbregts <30799281+pahuijbr@users.noreply.github.com>
Date: Thu, 1 Jul 2021 11:28:16 -0700
Subject: [PATCH 41/44] Update defender-csp.md
@denisebmsft some additions
---
windows/client-management/mdm/defender-csp.md | 44 ++++++++++++++++---
1 file changed, 39 insertions(+), 5 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 97561119e4..15b3e6a372 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -62,6 +62,7 @@ Defender
--------PlatformUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------EngineUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
--------SignaturesUpdatesChannel (Added with the 4.18.2106.5 Defender platform release)
+--------DisableGradualRelease (Added with the 4.18.2106.5 Defender platform release)
----Scan
----UpdateSignature
----OfflineScan (Added in Windows 10 version 1803)
@@ -524,8 +525,7 @@ More details:
- [Microsoft Defender Antivirus diagnostic data](/microsoft-365/security/defender-endpoint/collect-diagnostic-data)
- [Collect investigation package from devices](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices)
-**Configuration/PlatformUpdatesChannel**
-
+**Configuration/PlatformUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender platform updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
@@ -549,8 +549,12 @@ Valid values are:
- 3: Current Channel (Staged)
- 4: Current Channel (Broad)
-**Configuration/EngineUpdatesChannel**
+More details:
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+
+**Configuration/EngineUpdatesChannel**
Enable this policy to specify when devices receive Microsoft Defender engine updates during the monthly gradual rollout.
Beta Channel: Devices set to this channel will be the first to receive new updates. Select Beta Channel to participate in identifying and reporting issues to Microsoft. Devices in the Windows Insider Program are subscribed to this channel by default. For use in (manual) test environments only and a limited number of devices.
@@ -574,8 +578,12 @@ Valid values are:
- 3 - Current Channel (Staged)
- 4 - Current Channel (Broad)
-**Configuration/SignaturesUpdatesChannel**
+More details:
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+
+**Configuration/DefinitionUpdatesChannel**
Enable this policy to specify when devices receive daily Microsoft Defender definition updates during the daily gradual rollout.
Current Channel (Broad): Devices will be offered updates only after the gradual release cycle completes. Suggested to apply to a broad set of devices in your production population (~10-100%).
@@ -590,6 +598,32 @@ Valid Values are:
- 3: Current Channel (Staged)
- 4: Current Channel (Broad)
+More details:
+
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+
+**Configuration/DisableGradualRelease**
+Enable this policy to disable gradual rollout of monthly and daily Defender updates.
+Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates.
+
+Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.
+
+If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
+
+The data type is integer.
+
+Supported operations are Add, Delete, Get, Replace.
+
+Valid values are:
+• 1 – Enabled.
+• 0 (default) – Not Configured.
+
+More details:
+
+- [Manage the gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/manage-gradual-rollout)
+- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
+
**Scan**
Node that can be used to start a Windows Defender scan on a device.
@@ -611,4 +645,4 @@ Supported operations are Get and Execute.
## Related topics
-[Configuration service provider reference](configuration-service-provider-reference.md)
\ No newline at end of file
+[Configuration service provider reference](configuration-service-provider-reference.md)
From d35efcdadfc0bee35b3d35eb9dff74abff3c12a5 Mon Sep 17 00:00:00 2001
From: Daniel Simpson
Date: Thu, 1 Jul 2021 11:50:54 -0700
Subject: [PATCH 42/44] Update defender-csp.md
---
windows/client-management/mdm/defender-csp.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/windows/client-management/mdm/defender-csp.md b/windows/client-management/mdm/defender-csp.md
index 15b3e6a372..c66d28ae30 100644
--- a/windows/client-management/mdm/defender-csp.md
+++ b/windows/client-management/mdm/defender-csp.md
@@ -604,10 +604,11 @@ More details:
- [Create a custom gradual rollout process for Microsoft Defender updates](/microsoft-365/security/defender-endpoint/configure-updates)
**Configuration/DisableGradualRelease**
-Enable this policy to disable gradual rollout of monthly and daily Defender updates.
-Devices will be offered all Defender updates after the gradual release cycle completes. Best for datacenter machines that only receive limited updates.
+Enable this policy to disable gradual rollout of monthly and daily Microsoft Defender updates.
+Devices will be offered all Microsoft Defender updates after the gradual release cycle completes. This is best for datacenters that only receive limited updates.
-Note: This setting applies to both monthly as well as daily Defender updates and will override any previously configured channel selections for platform and engine updates.
+> [!NOTE]
+> This setting applies to both monthly as well as daily Microsoft Defender updates and will override any previously configured channel selections for platform and engine updates.
If you disable or do not configure this policy, the device will remain in Current Channel (Default) unless specified otherwise in specific channels for platform and engine updates. Stay up to date automatically during the gradual release cycle. Suitable for most devices.
From c2ce37df79e3beb031ad86a038b38be6d6ac11ad Mon Sep 17 00:00:00 2001
From: Gary Moore
Date: Thu, 1 Jul 2021 15:19:56 -0700
Subject: [PATCH 43/44] Fix broken note
The asterisks were rendered in preview.
---
.../audit-audit-the-access-of-global-system-objects.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
index 4015f85f3f..9f9a154800 100644
--- a/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
+++ b/windows/security/threat-protection/security-policy-settings/audit-audit-the-access-of-global-system-objects.md
@@ -98,7 +98,7 @@ If the [Audit Kernel Object](../auditing/audit-kernel-object.md) setting is conf
| - | - |
| 560 | Access was granted to an already existing object. |
| 562 | A handle to an object was closed. |
-| 563 | An attempt was made to open an object with the intent to delete it.
**Note: **This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
+| 563 | An attempt was made to open an object with the intent to delete it.
**Note:** This is used by file systems when the FILE_DELETE_ON_CLOSE flag is specified in Createfile() |
| 564 | A protected object was deleted. |
| 565 | Access was granted to an already existing object type. |
| 567 | A permission associated with a handle was used.
**Note:** A handle is created with certain granted permissions (Read, Write, and so on). When the handle is used, up to one audit is generated for each of the permissions that was used. |
From 67223e7719814809d217487105a21aaf2d6250dd Mon Sep 17 00:00:00 2001
From: Sunny Zankharia <67922512+sazankha@users.noreply.github.com>
Date: Fri, 2 Jul 2021 09:36:53 -0700
Subject: [PATCH 44/44] Update reqs-md-app-guard.md
---
.../microsoft-defender-application-guard/reqs-md-app-guard.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
index 6c335a409f..a54f8667cd 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard.md
@@ -42,6 +42,6 @@ Your environment must have the following hardware to run Microsoft Defender Appl
| Software | Description |
|--------|-----------|
-| Operating system | Windows 10 Enterprise edition, version 1805 or higher
Windows 10 Professional edition, version 1805 or higher
Windows 10 Professional for Workstations edition, version 1805 or higher
Windows 10 Professional Education edition, version 1805 or higher
Windows 10 Education edition, version 1805 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
+| Operating system | Windows 10 Enterprise edition, version 1809 or higher
Windows 10 Professional edition, version 1809 or higher
Windows 10 Professional for Workstations edition, version 1809 or higher
Windows 10 Professional Education edition, version 1809 or higher
Windows 10 Education edition, version 1809 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with MDAG for Professional editions. |
| Browser | Microsoft Edge |
| Management system
(only for managed devices)| [Microsoft Intune](/intune/) **OR**
[Microsoft Endpoint Configuration Manager](/configmgr/)
**OR**
[Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11))
**OR**
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. |