deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'main' into patch-4

Browse Source
This commit is contained in:
Paolo Matarazzo
2022-09-23 17:18:00 -04:00
committed by GitHub
parent 863dc783ba f9b1e8a7fd
commit d7f5233fea
306 changed files with 1829 additions and 1072 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
windows/client-management/mdm/laps-csp.md
View File

@ -2,14 +2,14 @@
title: Local Administrator Password Solution CSP
description: Learn how the Local Administrator Password Solution configuration service provider (CSP) is used by the enterprise to manage backup of local administrator account passwords.
ms.author: jsimmons
ms.topic: article
ms.prod: w11
ms.technology: windows
author: jsimmons
author: jay98014
ms.reviewer: vinpa
manager: aaroncz
ms.topic: reference
ms.prod: windows-client
ms.technology: itpro-manage
ms.localizationpriority: medium
ms.date: 07/04/2022
ms.reviewer: jsimmons
manager: jsimmons
ms.date: 09/20/2022
---
# Local Administrator Password Solution CSP
@ -19,6 +19,9 @@ The Local Administrator Password Solution (LAPS) configuration service provider
> [!IMPORTANT]
> Windows LAPS is currently only available in Windows Insider builds as of 25145 and later. Support for the Windows LAPS Azure AD scenario is currently limited to a small group of Windows Insiders.
> [!TIP]
> This article covers the specific technical details of the LAPS CSP. For more information about the scenarios in which the LAPS CSP would be used, see [Windows Local Administrator Password Solution](/windows-server/identity/laps/laps).
The following example shows the LAPS CSP in tree format.
```xml
@ -231,7 +234,7 @@ Supported operations are Add, Get, Replace, and Delete.
<!--Policy-->
### PasswordExpirationProtectionEnabled
<!--Description-->
Use this setting to configure additional enforcement of maximum password age for the managed local administrator account.
Use this setting to configure enforcement of maximum password age for the managed local administrator account.
<!--/Description-->
<!--SupportedSKUs-->
@ -758,3 +761,5 @@ This example is configuring a hybrid device to back up its password to Active Di
## Related articles
[Configuration service provider reference](configuration-service-provider-reference.md)
[Windows LAPS](/windows-server/identity/laps/laps)

42
windows/client-management/mdm/passportforwork-csp.md
View File

@ -83,7 +83,8 @@ PassportForWork
-------UseBiometrics
-------Biometrics
----------UseBiometrics
----------FacialFeatureUse
----------FacialFeaturesUseEnhancedAntiSpoofing
----------EnableESSwithSupportedPeripherals
-------DeviceUnlock
----------GroupA
----------GroupB
@ -286,8 +287,6 @@ Boolean value used to enable or disable the use of biometric gestures, such as f
Default value is true, enabling the biometric gestures for use with Windows Hello for Business. If you set this policy to false, biometric gestures are disabled for use with Windows Hello for Business.
Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
@ -305,6 +304,26 @@ Supported operations are Add, Get, Delete, and Replace.
*Not supported on Windows Holographic and Windows Holographic for Business prior to Windows 10 version 1903 (May 2019 Update).*
<a href="" id="biometrics-enableESSwithSupportedPeripherals--only-for---device-vendor-msft-"></a>**Biometrics/EnableESSwithSupportedPeripherals** (only for ./Device/Vendor/MSFT)
If this policy is enabled, Windows Hello authentication using peripheral biometric sensors will be blocked. Any non-authentication operational functionalities such as camera usage (for instance, video calls and the camera) will be unaffected.
If you enable this policy it can have the following possible values:
**0 - Enhanced Sign-in Security Disabled** (not recommended)
Enhanced sign-in security will be disabled on all systems, enabling the use of peripheral biometric authentication. If this policy value is set to 0 after users have enrolled in ESS biometrics, users will be prompted to reset their PIN. They will lose all their existing biometric enrollments. To use biometrics they will have to enroll again.
**1 - Enhanced Sign-in Security Enabled** (default and recommended for highest security)
Enhanced sign-in security will be enabled on systems with capable software and hardware, following the existing default behavior in Windows. Authentication operations of any biometric device that Enhanced Sign-in Security does not support, including that of peripheral devices, will be blocked and not available for Windows Hello.
If you disable or do not configure this policy, Enhanced Sign-in Security is preferred on the device. The behavior will be the same as enabling the policy and setting the value to 1.
Supported operations are Add, Get, Delete, and Replace.
*Supported from Windows 11 version 22H2*
<a href="" id="deviceunlock"></a>**DeviceUnlock** (only for ./Device/Vendor/MSFT)
Added in Windows 10, version 1803. Interior node.
@ -551,7 +570,7 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
<Data>true</Data>
</Item>
</Add>
<Add>
<Add>
<CmdID>15</CmdID>
<Item>
<Target>
@ -566,6 +585,21 @@ Here's an example for setting Windows Hello for Business and setting the PIN pol
<Data>true</Data>
</Item>
</Add>
<Add>
<CmdID>16</CmdID>
<Item>
<Target>
<LocURI>
./Vendor/MSFT/PassportForWork/Biometrics/EnableESSwithSupportedPeripherals
</LocURI>
</Target>
<Meta>
<Format xmlns="syncml:metinf">int</Format>
<Type>text/plain</Type>
</Meta>
<Data>0</Data>
</Item>
</Add>
<Final/>
</SyncBody>
</SyncML>

6
windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
View File

@ -70,19 +70,13 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
![details for offline app package.](../images/uwp-family.png)
3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
![required frameworks for offline app package.](../images/uwp-dependencies.png)
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
![generate license for offline app.](../images/uwp-license.png)
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.

5
windows/configuration/provisioning-packages/provision-pcs-with-apps.md
View File

@ -85,19 +85,14 @@ Universal apps that you can distribute in the provisioning package can be line-o
2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
![details for offline app package.](../images/uwp-family.png)
3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
![required frameworks for offline app package.](../images/uwp-dependencies.png)
5. For **DeviceContextAppLicense**, enter the **LicenseProductID**.
- In Microsoft Store for Business, generate the unencoded license for the app on the app's download page.
![generate license for offline app.](../images/uwp-license.png)
- Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**.

6
windows/deployment/update/update-compliance-configuration-manual.md
View File

@ -1,11 +1,11 @@
---
title: Manually configuring devices for Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Manually configuring devices for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

40
windows/deployment/update/update-compliance-configuration-mem.md
View File

@ -1,11 +1,11 @@
---
title: Configuring Microsoft Endpoint Manager devices for Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Configuring devices that are enrolled in Endpoint Manager for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
@ -21,62 +21,64 @@ ms.topic: article
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll, that contains settings for all the MDM policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. You can learn more about this in the broad section on [enrolling devices to Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance).
> [!TIP]
> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
## Create a configuration profile
Take the following steps to create a configuration profile that will set required policies for Update Compliance:
1. Go to the Admin portal in Endpoint Manager and navigate to **Devices/Windows/Configuration profiles**.
2. On the **Configuration profiles** view, select **Create a profile**.
3. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
4. For **Template name**, select **Custom**, and then press **Create**.
5. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
6. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. On the **Configuration profiles** view, select **Create a profile**.
1. Select **Platform**="Windows 10 and later" and **Profile type**="Templates".
1. For **Template name**, select **Custom**, and then press **Create**.
1. You are now on the Configuration profile creation screen. On the **Basics** tab, give a **Name** and **Description**.
1. On the **Configuration settings** page, you will be adding multiple OMA-URI Settings that correspond to the policies described in [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md).
1. If you don't already have it, get your Commercial ID. For steps, see [Get your CommmercialID](update-compliance-get-started.md#get-your-commercialid).
2. Add a setting for **Commercial ID** with the following values:
1. Add a setting for **Commercial ID** with the following values:
- **Name**: Commercial ID
- **Description**: Sets the Commercial ID that corresponds to the Update Compliance Log Analytics workspace.
- **OMA-URI**: `./Vendor/MSFT/DMClient/Provider/ProviderID/CommercialID`
- **Data type**: String
- **Value**: *Set this to your Commercial ID*
2. Add a setting configuring the **Windows Diagnostic Data level** for devices:
1. Add a setting configuring the **Windows Diagnostic Data level** for devices:
- **Name**: Allow Telemetry
- **Description**: Sets the maximum allowed diagnostic data to be sent to Microsoft, required for Update Compliance.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowTelemetry`
- **Data type**: Integer
- **Value**: 1 (*all that is required is 1, but it can be safely set to a higher value*).
3. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
1. (*Recommended, but not required*) Add a setting for **disabling devices' Diagnostic Data opt-in settings interface**. If this is not disabled, users of each device can potentially override the diagnostic data level of devices such that data will not be available for those devices in Update Compliance:
- **Name**: Disable Telemetry opt-in interface
- **Description**: Disables the ability for end-users of devices can adjust diagnostic data to levels lower than defined by the Allow Telemetry setting.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/ConfigureTelemetryOptInSettingsUx`
- **Data type**: Integer
- **Value**: 1
4. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
1. Add a setting to **Allow device name in diagnostic data**; otherwise, there will be no device name in Update Compliance:
- **Name**: Allow device name in Diagnostic Data
- **Description**: Allows device name in Diagnostic Data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowDeviceNameInDiagnosticData`
- **Data type**: Integer
- **Value**: 1
5. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
1. Add a setting to **Allow Update Compliance processing**; this policy is required for Update Compliance:
- **Name**: Allow Update Compliance Processing
- **Description**: Opts device data into Update Compliance processing. Required to see data.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowUpdateComplianceProcessing`
- **Data type**: Integer
- **Value**: 16
6. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
1. Add a setting to **Allow commercial data pipeline**; this policy is required for Update Compliance:
- **Name**: Allow commercial data pipeline
- **Description**: Configures Microsoft to be the processor of the Windows diagnostic data collected from an Azure Active Directory-joined device.
- **OMA-URI**: `./Vendor/MSFT/Policy/Config/System/AllowCommercialDataPipeline`
- **Data type**: Integer
- **Value**: 1
7. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
8. Review and select **Create**.
1. Proceed through the next set of tabs **Scope tags**, **Assignments**, and **Applicability Rules** to assign the configuration profile to devices you wish to enroll.
1. Review and select **Create**.
## Deploy the configuration script
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
The [Update Compliance Configuration Script](update-compliance-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in Pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in Deployment mode as a Win32 app to all Update Compliance devices.

2
windows/deployment/update/update-compliance-configuration-script.md
View File

@ -1,7 +1,7 @@
---
title: Update Compliance Configuration Script
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Downloading and using the Update Compliance Configuration Script
ms.prod: w10
author: mestew

8
windows/deployment/update/update-compliance-delivery-optimization.md
View File

@ -1,11 +1,11 @@
---
title: Delivery Optimization in Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Update Compliance solution provides you with information about your Delivery Optimization configuration.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article
@ -46,7 +46,7 @@ The table breaks down the number of bytes from each download source into specifi
The download sources that could be included are:
- LAN Bytes: Bytes downloaded from LAN Peers which are other devices on the same local network
- Group Bytes: Bytes downloaded from Group Peers which are other devices that belong to the same Group (available when the "Group" download mode is used)
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or an Configuration Manager Distribution Point for Express Updates.
- HTTP Bytes: Non-peer bytes. The HTTP download source can be Microsoft Servers, Windows Update Servers, a WSUS server or a Configuration Manager Distribution Point for Express Updates.
<!--Using include file, waas-delivery-optimization-monitor.md, for shared content on DO monitoring-->
[!INCLUDE [Monitor Delivery Optimization](../do/includes/waas-delivery-optimization-monitor.md)]

6
windows/deployment/update/update-compliance-feature-update-status.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Feature Update Status report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Feature Update Status report provides information about the status of feature updates across all devices.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-get-started.md
View File

@ -1,10 +1,10 @@
---
title: Get started with Update Compliance
manager: dougeby
manager: aczechowski
description: Prerequisites, Azure onboarding, and configuring devices for Update Compliance
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection:
- M365-analytics

6
windows/deployment/update/update-compliance-monitor.md
View File

@ -1,11 +1,11 @@
---
title: Monitor Windows Updates and Microsoft Defender AV with Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: You can use Update Compliance in Azure portal to monitor the progress of updates and key anti-malware protection features on devices in your network.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

6
windows/deployment/update/update-compliance-need-attention.md
View File

@ -1,9 +1,9 @@
---
title: Update Compliance - Need Attention! report
manager: dougeby
manager: aczechowski
description: Learn how the Need attention! section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance.
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.prod: w10

6
windows/deployment/update/update-compliance-privacy.md
View File

@ -1,11 +1,11 @@
---
title: Privacy in Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: an overview of the Feature Update Status report
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-safeguard-holds.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Safeguard Holds report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Safeguard Holds report provides information about safeguard holds in your population.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-schema-waasdeploymentstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSDeploymentStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSDeploymentStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-waasinsiderstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSInsiderStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSInsiderStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-waasupdatestatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WaaSUpdateStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WaaSUpdateStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-wudoaggregatedstatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WUDOAggregatedStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WUDOAggregatedStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

6
windows/deployment/update/update-compliance-schema-wudostatus.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Schema - WUDOStatus
ms.reviewer:
manager: dougeby
manager: aczechowski
description: WUDOStatus schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---

8
windows/deployment/update/update-compliance-schema.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance Data Schema
ms.reviewer:
manager: dougeby
manager: aczechowski
description: an overview of Update Compliance data schema
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
---
@ -21,7 +21,7 @@ The table below summarizes the different tables that are part of the Update Comp
|Table |Category |Description |
|--|--|--|
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots map to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
|[**WaaSUpdateStatus**](update-compliance-schema-waasupdatestatus.md) |Device record |This table houses device-centric data and acts as the device record for Update Compliance. Each record provided in daily snapshots maps to a single device in a single tenant. This table has data such as the current device's installed version of Windows, whether it is on the latest available updates, and whether the device needs attention. |
|[**WaaSInsiderStatus**](update-compliance-schema-waasinsiderstatus.md) |Device record |This table houses device-centric data specifically for devices enrolled to the Windows Insider Program. Devices enrolled to the Windows Insider Program do not currently have any WaaSDeploymentStatus records, so do not have Update Session data to report on update deployment progress. |
|[**WaaSDeploymentStatus**](update-compliance-schema-waasdeploymentstatus.md) |Update Session record |This table tracks a specific update on a specific device. Multiple WaaSDeploymentStatus records can exist simultaneously for a given device, as each record is specific to a given update and its type. For example, a device can have both a WaaSDeploymentStatus tracking a Windows Feature Update, as well as one tracking a Windows Quality Update, at the same time. |
|[**WUDOStatus**](update-compliance-schema-wudostatus.md) |Delivery Optimization record |This table provides information, for a single device, on their bandwidth utilization across content types in the event they use [Delivery Optimization](https://support.microsoft.com/help/4468254/windows-update-delivery-optimization-faq). |

6
windows/deployment/update/update-compliance-security-update-status.md
View File

@ -1,11 +1,11 @@
---
title: Update Compliance - Security Update Status report
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how the Security Update Status section provides information about security updates across all devices.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.collection: M365-analytics
ms.topic: article
ms.custom: seo-marvel-apr2020

6
windows/deployment/update/update-compliance-using.md
View File

@ -1,11 +1,11 @@
---
title: Using Update Compliance
ms.reviewer:
manager: dougeby
manager: aczechowski
description: Learn how to use Update Compliance to monitor your device's Windows updates.
ms.prod: w10
author: aczechowski
ms.author: aaroncz
author: mestew
ms.author: mstewart
ms.localizationpriority: medium
ms.collection: M365-analytics
ms.topic: article

8
windows/deployment/update/update-compliance-v2-configuration-mem.md
View File

@ -24,8 +24,10 @@ ms.date: 08/24/2022
This article is specifically targeted at configuring devices enrolled to [Microsoft Endpoint Manager](/mem/endpoint-manager-overview) for Update Compliance, within Microsoft Endpoint Manager itself. Configuring devices for Update Compliance in Microsoft Endpoint Manager breaks down to the following steps:
1. [Create a configuration profile](#create-a-configuration-profile) for devices you want to enroll. The configuration profile contains settings for all the Mobile Device Management (MDM) policies that must be configured.
2. [Deploy the configuration script](#deploy-the-configuration-script) as a Win32 app to those same devices, so additional checks can be performed to ensure devices are correctly configured.
3. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md).
1. Wait for data to populate. The length of this process depends on the computer being on, connected to the internet, and correctly configured. Some data types take longer to appear than others. For more information, see [Use Update Compliance](update-compliance-v2-use.md).
> [!TIP]
> If you need to troubleshoot client enrollment, consider deploying the [configuration script](#deploy-the-configuration-script) as a Win32 app to a few devices and reviewing the logs it creates. Additional checks are performed with the script to ensure devices are correctly configured.
## Create a configuration profile
@ -105,7 +107,7 @@ Create a configuration profile that will set the required policies for Update Co
## Deploy the configuration script
The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is an important component of properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
The [Update Compliance Configuration Script](update-compliance-v2-configuration-script.md) is a useful tool for properly enrolling devices in Update Compliance, though it isn't strictly necessary. It checks to ensure that devices have the required services running and checks connectivity to the endpoints detailed in the section on [Manually configuring devices for Update Compliance](update-compliance-v2-configuration-manual.md). You can deploy the script as a Win32 app. For more information, see [Win32 app management in Microsoft Intune](/mem/intune/apps/apps-win32-app-management).
When you deploy the configuration script as a Win32 app, you won't be able to retrieve the results of logs on the device without having access to the device, or saving results of the logs to a shared filesystem. We recommend deploying the script in pilot mode to a set of devices that you do have access to, or have a way to access the resultant log output the script provides, with as similar of a configuration profile as other devices which will be enrolled to Update Compliance, and analyzing the logs for any potential issues. Following this, you can deploy the configuration script in deployment mode as a Win32 app to all Update Compliance devices.

4
windows/security/identity-protection/hello-for-business/hello-hybrid-cloud-kerberos-trust.md
View File

@ -253,8 +253,8 @@ Windows Hello for Business cloud Kerberos trust looks for a writeable DC to exch
### Do I need line of sight to a domain controller to use Windows Hello for Business cloud Kerberos trust?
Windows Hello for Business cloud Kerberos trust requires line of sight to a domain controller for some scenarios:
- The first sign-in or unlock with Windows Hello for Business after provisioning on a Hybrid Azure AD joined device
- When attempting to access an on-premises resource from an Azure AD joined device
- The first sign-in or unlock with Windows Hello for Business after provisioning
- When attempting to access an on-premises resource from a Hybrid Azure AD joined device
### Can I use RDP/VDI with Windows Hello for Business cloud Kerberos trust?

31
windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
View File

@ -1,12 +1,13 @@
---
title: BitLocker recovery guide (Windows 10)
description: This article for IT professionals describes how to recover BitLocker keys from AD DS.
ms.reviewer:
ms.prod: m365-security
title: BitLocker recovery guide
description: This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: dansimp
ms.author: dansimp
manager: dansimp
author: frankroj
ms.author: frankroj
ms.reviewer: rafals
manager: aaroncz
ms.collection:
- M365-security-compliance
- highpri
@ -21,11 +22,11 @@ ms.custom: bitlocker
- Windows 10
- Windows 11
- Windows Server 2016 and above
- Windows Server 2016 and later
This article for IT professionals describes how to recover BitLocker keys from AD DS.
This article for IT professionals describes how to recover BitLocker keys from Active Directory Domain Services (AD DS).
Organizations can use BitLocker recovery information saved in Active Directory Domain Services (AD DS) to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
Organizations can use BitLocker recovery information saved in AD DS to access BitLocker-protected data. Creating a recovery model for BitLocker while you are planning your BitLocker deployment is recommended.
This article assumes that you understand how to set up AD DS to back up BitLocker recovery information automatically, and what types of recovery information are saved to AD DS.
@ -45,7 +46,7 @@ BitLocker recovery is the process by which you can restore access to a BitLocker
The following list provides examples of specific events that will cause BitLocker to enter recovery mode when attempting to start the operating system drive:
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/microsoft-intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On PCs that use BitLocker Drive Encryption, or on devices such as tablets or phones that use [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md) only, when an attack is detected, the device will immediately reboot and enter into BitLocker recovery mode. To take advantage of this functionality, administrators can set the **Interactive logon: Machine account lockout threshold** Group Policy setting located in **\\Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options** in the Local Group Policy Editor. Or they can use the **MaxFailedPasswordAttempts** policy of [Exchange ActiveSync](/Exchange/clients/exchange-activesync/exchange-activesync) (also configurable through [Microsoft Intune](/mem/intune)), to limit the number of failed password attempts before the device goes into Device Lockout.
- On devices with TPM 1.2, changing the BIOS or firmware boot device order causes BitLocker recovery. However, devices with TPM 2.0 do not start BitLocker recovery in this case. TPM 2.0 does not consider a firmware change of boot device order as a security threat because the OS Boot Loader is not compromised.
- Having the CD or DVD drive before the hard drive in the BIOS boot order and then inserting or removing a CD or DVD.
- Failing to boot from a network drive before booting from the hard drive.
@ -280,8 +281,14 @@ This error might occur if you updated the firmware. As a best practice, you shou
## Windows RE and BitLocker Device Encryption
Windows Recovery Environment (RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
Windows Recovery Environment (Windows RE) can be used to recover access to a drive protected by [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md). If a PC is unable to boot after two failures, Startup Repair will automatically start. When Startup Repair is launched automatically due to boot failures, it will only execute operating system and driver file repairs, provided that the boot logs or any available crash dump point to a specific corrupted file. In Windows 8.1 and later, devices that include firmware to support specific TPM measurements for PCR\[7\] the TPM can validate that Windows RE is a trusted operating environment and will unlock any BitLocker-protected drives if Windows RE has not been modified. If the Windows RE environment has been modified, for example the TPM has been disabled, the drives will stay locked until the BitLocker recovery key is provided. If Startup Repair can't run automatically from the PC and instead Windows RE is manually started from a repair disk, then the BitLocker recovery key must be provided to unlock the BitLockerprotected drives.
Windows RE will also ask for your BitLocker recovery key when you start a "Remove everything" reset from Windows RE on a device that uses the "TPM + PIN" or "Password for OS drive" protector. If you start BitLocker recovery on a keyboardless device with TPM-only protection, Windows RE, not the boot manager, will ask for the BitLocker recovery key. After you enter the key, you can access Windows RE troubleshooting tools or start Windows normally.
The BitLocker recovery screen that's shown by Windows RE has the accessibility tools like narrator and on-screen keyboard to help you enter your BitLocker recovery key. If the BitLocker recovery key is requested by the Windows boot manager, those tools might not be available.
To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
To activate the on-screen keyboard, tap on a text input control.
## BitLocker recovery screen

BIN
windows/security/information-protection/bitlocker/images/bl-narrator.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 395 KiB

2
windows/security/information-protection/pluton/microsoft-pluton-security-processor.md
View File

@ -19,7 +19,7 @@ appliesto:
Microsoft Pluton security processor is a chip-to-cloud security technology built with [Zero Trust](/security/zero-trust/zero-trust-overview) principles at the core. Microsoft Pluton provides hardware-based root of trust, secure identity, secure attestation, and cryptographic services. Pluton technology is a combination of a secure subsystem which is part of the System on Chip (SoC) and Microsoft authored software that runs on this integrated secure subsystem.
Microsoft Pluton is currently available on devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
Microsoft Pluton is currently available on devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors. Microsoft Pluton can be enabled on devices with Pluton capable processors running Windows 11, version 22H2.
## What is Microsoft Pluton?

2
windows/security/information-protection/pluton/pluton-as-tpm.md
View File

@ -33,7 +33,7 @@ Pluton is integrated within the SoC subsystem, and provides a flexible, updatabl
## Enable Microsoft Pluton as TPM
Devices with Ryzen 7000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
Devices with Ryzen 6000 and Qualcomm Snapdragon® 8cx Gen 3 series processors are Pluton Capable, however enabling and providing an option to enable Pluton is at the discretion of the device manufacturer. Pluton is supported on these devices and can be enabled from the Unified Extensible Firmware Interface (UEFI) setup options for the device.
UEFI setup options differ from product to product, visit the product website and check for guidance to enable Pluton as TPM.

93
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
View File

@ -6,7 +6,7 @@ ms.technology: itpro-security
ms.localizationpriority: medium
ms.collection: M365-security-compliance
author: jsuther1974
ms.reviewer: isbrahm
ms.reviewer: jgeurten
ms.author: vinpa
manager: aaroncz
ms.date: 09/29/2021
@ -62,6 +62,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
- texttransform.exe
- visualuiaverifynative.exe
- system.management.automation.dll
- webclnt.dll/davsvc.dll
- wfc.exe
- windbg.exe
- wmic.exe
@ -119,7 +120,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
```xml
<?xml version="1.0" encoding="utf-8"?>
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy">
<VersionEx>10.0.0.0</VersionEx>
<VersionEx>10.1.0.0</VersionEx>
<PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
<PlatformID>{2E07F7E4-194C-4D20-B7C9-6F44A6C5A234}</PlatformID>
<Rules>
@ -143,50 +144,51 @@ Select the correct version of each .dll for the Windows release you plan to supp
<EKUs />
<!-- File Rules -->
<FileRules>
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ASPNET" FriendlyName="aspnet_compiler.exe" FileName="aspnet_compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_ADDINPROCESS" FriendlyName="AddInProcess.exe" FileName="AddInProcess.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ADDINPROCESS32" FriendlyName="AddInProcess32.exe" FileName="AddInProcess32.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ADDINUTIL" FriendlyName="AddInUtil.exe" FileName="AddInUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_ASPNET" FriendlyName="aspnet_compiler.exe" FileName="aspnet_compiler.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_BASH" FriendlyName="bash.exe" FileName="bash.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_BGINFO" FriendlyName="bginfo.exe" FileName="BGINFO.Exe" MinimumFileVersion="4.21.0.0" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_CBD" FriendlyName="cdb.exe" FileName="CDB.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_CSI" FriendlyName="csi.exe" FileName="csi.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_CSCRIPT" FriendlyName="cscript.exe" FileName="cscript.exe" MinimumFileVersion="5.812.10240.0" />
<Deny ID="ID_DENY_DBGHOST" FriendlyName="dbghost.exe" FileName="DBGHOST.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DBGSVC" FriendlyName="dbgsvc.exe" FileName="DBGSVC.Exe" MinimumFileVersion="2.3.0.0" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_DNX" FriendlyName="dnx.exe" FileName="dnx.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_DOTNET" FriendlyName="dotnet.exe" FileName="dotnet.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_FSI" FriendlyName="fsi.exe" FileName="fsi.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_FSI_ANYCPU" FriendlyName="fsiAnyCpu.exe" FileName="fsiAnyCpu.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INFINSTALL" FriendlyName="infdefaultinstall.exe" FileName="infdefaultinstall.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INSTALLUTIL" FriendlyName="Microsoft InstallUtil" FileName="InstallUtil.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KD_KMCI" FriendlyName="kd.exe" FileName="kd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_KILL" FriendlyName="kill.exe" FileName="kill.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_LXRUN" FriendlyName="lxrun.exe" FileName="lxrun.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_LXSS" FriendlyName="LxssManager.dll" FileName="LxssManager.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_INTUNE_AGENT" FriendlyName="IntuneWindowsAgent.exe" FileName="Microsoft.Management.Services.IntuneWindowsAgent.exe" MinimumFileVersion="1.46.204.0" />
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_MFC40" FriendlyName="mfc40.dll" FileName="mfc40.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD" FriendlyName="Microsoft.Build.dll" FileName="Microsoft.Build.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MS_BUILD_FMWK" FriendlyName="Microsoft.Build.Framework.dll" FileName="Microsoft.Build.Framework.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MWFC" FriendlyName="Microsoft.Workflow.Compiler.exe" FileName="Microsoft.Workflow.Compiler.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD" FriendlyName="MSBuild.exe" FileName="MSBuild.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSBUILD_DLL" FriendlyName="MSBuild.dll" FileName="MSBuild.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_MSHTA" FriendlyName="mshta.exe" FileName="mshta.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_NTKD" FriendlyName="ntkd.exe" FileName="ntkd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_NTSD" FriendlyName="ntsd.exe" FileName="ntsd.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_PWRSHLCUSTOMHOST" FriendlyName="powershellcustomhost.exe" FileName="powershellcustomhost.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_RCSI" FriendlyName="rcsi.exe" FileName="rcsi.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_RUNSCRIPTHELPER" FriendlyName="runscripthelper.exe" FileName="runscripthelper.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_TEXTTRANSFORM" FriendlyName="texttransform.exe" FileName="texttransform.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_VISUALUIAVERIFY" FriendlyName="visualuiaverifynative.exe" FileName="visualuiaverifynative.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WEBCLNT" FriendlyName="BlockWebDAV WebClnt" FileName="davsvc.dll" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355"/>
<Deny ID="ID_DENY_WFC" FriendlyName="WFC.exe" FileName="wfc.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WINDBG" FriendlyName="windbg.exe" FileName="windbg.Exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WMIC" FriendlyName="wmic.exe" FileName="wmic.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSCRIPT" FriendlyName="wscript.exe" FileName="wscript.exe" MinimumFileVersion="5.812.10240.0" />
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="65535.65535.65535.65535" />
<Deny ID="ID_DENY_WSL" FriendlyName="wsl.exe" FileName="wsl.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSLCONFIG" FriendlyName="wslconfig.exe" FileName="wslconfig.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<Deny ID="ID_DENY_WSLHOST" FriendlyName="wslhost.exe" FileName="wslhost.exe" MinimumFileVersion="0.0.0.0" MaximumFileVersion="65355.65355.65355.65355" />
<!-- pick the correct version of msxml3.dll, msxml6.dll, and jscript9.dll based on the release you are supporting -->
<!-- the versions of these files in the 1903 release have this issue fixed, so they dont need to be blocked -->
<!-- RS1 Windows 1607
@ -874,7 +876,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_FSI" />
<FileRuleRef RuleID="ID_DENY_FSI_ANYCPU" />
<FileRuleRef RuleID="ID_DENY_INFINSTALL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_INSTALLUTIL" />
<FileRuleRef RuleID="ID_DENY_KD" />
<FileRuleRef RuleID="ID_DENY_KILL" />
<FileRuleRef RuleID="ID_DENY_LXSS" />
@ -894,6 +896,7 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_RUNSCRIPTHELPER" />
<FileRuleRef RuleID="ID_DENY_TEXTTRANSFORM" />
<FileRuleRef RuleID="ID_DENY_VISUALUIAVERIFY" />
<FileRuleRef RuleID="ID_DENY_WEBCLNT" />
<FileRuleRef RuleID="ID_DENY_WFC" />
<FileRuleRef RuleID="ID_DENY_WINDBG" />
<FileRuleRef RuleID="ID_DENY_WMIC" />
@ -902,10 +905,10 @@ Select the correct version of each .dll for the Windows release you plan to supp
<FileRuleRef RuleID="ID_DENY_WSLCONFIG" />
<FileRuleRef RuleID="ID_DENY_WSLHOST" />
<!-- uncomment the relevant line(s) below if you have uncommented them in the rule definitions above
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_MSXML3" />
<FileRuleRef RuleID="ID_DENY_MSXML6" />
<FileRuleRef RuleID="ID_DENY_JSCRIPT9" />
-->
<FileRuleRef RuleID="ID_DENY_D_1" />
<FileRuleRef RuleID="ID_DENY_D_2" />
<FileRuleRef RuleID="ID_DENY_D_3" />

2118
windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
View File

File diff suppressed because it is too large Load Diff

11
windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
View File

@ -61,9 +61,18 @@ Smart App Control is only available on clean installation of Windows 11 version
> [!IMPORTANT]
> Once you turn Smart App Control off, it can't be turned on without resetting or reinstalling Windows.
### Smart App Control Enforced Blocks
Smart App Control enforces the [Microsoft Recommended Driver Block rules](microsoft-recommended-driver-block-rules.md) and the [Microsoft Recommended Block Rules](microsoft-recommended-block-rules.md), with a few exceptions for compatibility considerations. The following are not blocked by Smart App Control:
- Infdefaultinstall.exe
- Microsoft.Build.dll
- Microsoft.Build.Framework.dll
- Wslhost.dll
## Related articles
- [WDAC design guide](windows-defender-application-control-design-guide.md)
- [WDAC deployment guide](windows-defender-application-control-deployment-guide.md)
- [WDAC operational guide](windows-defender-application-control-operational-guide.md)
- [AppLocker overview](applocker/applocker-overview.md)
- [AppLocker overview](applocker/applocker-overview.md)

2
windows/security/threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
View File

@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
| Name | Build | Baseline Release Date | Security Tools |
| ---- | ----- | --------------------- | -------------- |
| Windows 11 | [Windows 11](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-security-baseline/ba-p/2810772) <br> | October 2021<br>|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) <br> | September 2022<br>|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
| Windows 10 | [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| December 2021<br>May 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |

15
windows/security/threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
View File

@ -25,14 +25,15 @@ The SCT enables administrators to effectively manage their enterprises Group
The Security Compliance Toolkit consists of:
- Windows 11 security baseline
- Windows 11, version 22H2
- Windows 11, version 21H2
- Windows 10 security baselines
- Windows 10 Version 21H2
- Windows 10 Version 21H1
- Windows 10 Version 20H2
- Windows 10 Version 1809
- Windows 10 Version 1607
- Windows 10 Version 1507
- Windows 10, version 21H2
- Windows 10, version 21H1
- Windows 10, version 20H2
- Windows 10, version 1809
- Windows 10, version 1607
- Windows 10, version 1507
- Windows Server security baselines
- Windows Server 2022

4
windows/whats-new/whats-new-windows-11-version-22H2.md
View File

@ -19,7 +19,7 @@ Windows 11, version 22H2 is a feature update for Windows 11. It includes all fea
Windows 11, version 22H2 follows the [Windows 11 servicing timeline](/lifecycle/faq/windows#windows-11):
- **Windows 11 Professional**: Serviced for 24 months from the release date.
- **Windows 11 Pro**: Serviced for 24 months from the release date.
- **Windows 11 Enterprise**: Serviced for 36 months from the release date.
Windows 11, version 22H2 is available through Windows Server Update Services (including Configuration Manager), Windows Update for Business, and the Volume Licensing Service Center (VLSC). For more information, see [How to get the Windows 11, version 22H2 update](https://aka.ms/W11/how-to-get-22H2). Review the [Windows 11, version 22H2 Windows IT Pro blog post](https://aka.ms/new-in-22H2) to discover information about available deployment resources such as the [Windows Deployment Kit (Windows ADK)](/windows-hardware/get-started/adk-install).
@ -43,7 +43,7 @@ For more information, see [Enhanced Phishing Protection in Microsoft Defender Sm
<!-- 6286281-->
**Smart App Control** adds significant protection from malware, including new and emerging threats, by blocking apps that are malicious or untrusted. **Smart App Control** also helps to block potentially unwanted apps, which are apps that may cause your device to run slowly, display unexpected ads, offer extra software you didn't want, or do other things you don't expect.
For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md#wdac-and-smart-app-control).
For more information, see [Smart App Control](/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control#wdac-and-smart-app-control).
## Credential Guard
<!--6289166-->