diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 14021740e8..956aa34a1f 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -57,8 +57,8 @@
# Update, troubleshoot, or recover HoloLens
## [Update HoloLens](hololens-update-hololens.md)
-## [Restart, reset, or recover HoloLens](hololens-recovery.md)
-## [Restart, reset, or recover HoloLens 1st Gen](hololens1-recovery.md)
+## [Restart, reset, or recover HoloLens 2](hololens-recovery.md)
+## [Restart, reset, or recover HoloLens (1st gen) ](hololens1-recovery.md)
## [Troubleshoot HoloLens issues](hololens-troubleshooting.md)
## [Collect diagnostic information from HoloLens devices](hololens-diagnostic-logs.md)
## [Known issues for HoloLens](hololens-known-issues.md)
diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md
index 08af92c386..e37c3e14ec 100644
--- a/devices/hololens/hololens-identity.md
+++ b/devices/hololens/hololens-identity.md
@@ -85,9 +85,9 @@ One way in which developing for HoloLens differs from developing for Desktop is
## Frequently asked questions
-### Is Windows Hello for Business supported on HoloLens?
+### Is Windows Hello for Business supported on HoloLens (1st Gen)?
-Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
+Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens (1st Gen). To allow Windows Hello for Business PIN sign-in on HoloLens:
1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
@@ -96,13 +96,19 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported
> [!NOTE]
> Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
-#### Does the type of account change the sign-in behavior?
+### How is Iris biometric authentication implemented on HoloLens 2?
-Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type:
+HoloLens 2 supports Iris authentication. Iris is based on Windows Hello technology and is supported for use by both Azure Active Directory and Microsoft Accounts. Iris is implemented the same way as other Windows Hello technologies, and achieves biometrics security FAR of 1/100K.
-- **Microsoft account**: signs in automatically
-- **Local account**: always asks for password, not configurable in **Settings**
-- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password.
+You can learn more about biometric requirements and specifications for Windows Hello [here](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification).
+
+### How does the type of account affect sign-in behavior?
+
+If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type:
+
+- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication.
+- **Microsoft account**: lock behavior is different allowing automatic unlock, however sign in authentication is still required on reboot.
+- **Local account**: always asks for authentication in the form of a password, not configurable in **Settings**
> [!NOTE]
> Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy.
diff --git a/devices/hololens/hololens-recovery.md b/devices/hololens/hololens-recovery.md
index 8c3374807f..d8dd0ceb11 100644
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@@ -49,11 +49,11 @@ Under certain circumstances the customer may be required to manually reset the d
### Standard procedure
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
-2. Press and hold the power button for 15 seconds. All LEDs should be off.
+2. Press and hold the **power button** for 15 seconds. All LEDs should be off.
-3. Wait 2-3 seconds and Short press the power button, the LEDs close to the power button will light up and the device will start to boot.
+3. Wait 2-3 seconds and Short press the **power button**, the LEDs close to the power button will light up and the device will start to boot.
-4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below:
+4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below:
@@ -63,13 +63,13 @@ If the standard reset procedure does not work, you can use the hard-reset proced
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
-2. Hold volume down + power for 15 seconds.
+2. Hold **volume down + power button** for 15 seconds.
3. The device will automatically reboot.
-4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below.
+4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the pictures below.
-
+
## Clean reflash the device
@@ -97,11 +97,11 @@ If the device does not boot correctly you may need to put the HoloLens 2 device
1. Disconnect the device from the power supply or the host PC by unplugging the Type-C cable.
-2. Press and hold the power button for 15 seconds. All LEDs should turn off.
+2. Press and hold the **power button** for 15 seconds. All LEDs should turn off.
-3. While pressing the volume up button, press and release the power button to boot the device. Wait 10 seconds before releasing the volume up button. Out of the 5 LEDs on the device, only the middle LED will light up.
+3. While pressing the **volume up button**, press and release the **power button** to boot the device. Wait 15 seconds before releasing the volume up button. Out of the 5 LEDs on the device, only the middle LED will light up.
-4. Connect the device to the host PC, open Device Manager (for Windows 10 press the “Windows” key and then the “x” key and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the image below.
+4. Connect the device to the host PC, open Device Manager (for Windows 10 press the **“Windows” key** and then the **“x” key** and click on “Device Manager”) and make sure the device enumerates correctly as Microsoft HoloLens as shown in the image below.
diff --git a/devices/hololens/hololens-troubleshooting.md b/devices/hololens/hololens-troubleshooting.md
index b4d107902a..d0bd894a3e 100644
--- a/devices/hololens/hololens-troubleshooting.md
+++ b/devices/hololens/hololens-troubleshooting.md
@@ -27,14 +27,14 @@ This article describes how to resolve several common HoloLens issues.
If your HoloLens won't start:
-- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to charge your HoloLens.
-- If the LEDs light up when you press the power button but you can't see anything on the displays, hold the power button until all five of the LEDs turn off.
+- If the LEDs next to the power button don't light up, or only one LED briefly blinks, you may need to [charge your HoloLens.](hololens-recovery.md#charging-the-device)
+- If the LEDs light up when you press the power button but you can't see anything on the displays, [preform a hard reset of the device](hololens-recovery.md#hard-reset-procedure).
If your HoloLens becomes frozen or unresponsive:
-- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 10 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
+- Turn off your HoloLens by pressing the power button until all five of the LEDs turn themselves off, or for 15 seconds if the LEDs are unresponsive. To start your HoloLens, press the power button again.
-If these steps don't work, you can try [recovering your device](hololens-recovery.md).
+If these steps don't work, you can try [recovering your HoloLens 2 device](hololens-recovery.md) or [HoloLens (1st gen) device.](hololens1-recovery.md)
## Holograms don't look good
@@ -92,6 +92,6 @@ You'll need to free up some storage space by doing one or more of the following:
The most likely problem is that you're running low on storage space. Try one of the [previous tips](#im-getting-a-low-disk-space-error) to free up some disk space.
-## The HoloLens emulators isn't working
+## The HoloLens emulator isn't working
Information about the HoloLens emulator is located in our developer documentation. Read more about [troubleshooting the HoloLens emulator](https://docs.microsoft.com/windows/mixed-reality/using-the-hololens-emulator#troubleshooting).
diff --git a/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png b/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png
new file mode 100644
index 0000000000..ca2bd894a1
Binary files /dev/null and b/devices/hololens/images/MicrosoftHoloLens_DeviceManager.png differ
diff --git a/devices/surface/surface-book-gpu-overview.md b/devices/surface/surface-book-gpu-overview.md
index 337ae2daf6..77c5af7cc9 100644
--- a/devices/surface/surface-book-gpu-overview.md
+++ b/devices/surface/surface-book-gpu-overview.md
@@ -18,9 +18,9 @@ audience: itpro
## Introduction
Surface Book 3, the most powerful Surface laptop yet released, integrates fully modernized compute and graphics capabilities into its famous detachable form factor. Led by the quad-core 10th Gen Intel® Core™ i7 and NVIDIA® Quadro RTX™ 3000 graphical processing unit (GPU) on the 15-inch model, Surface Book 3 comes in a wide range of configurations for consumers, creative professionals, architects, engineers, and data scientists. This article explains the major differences between the GPU configurations across 13-inch and 15-inch models of Surface Book 3.
-
-A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level, 13.5-inch core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors.
-
+
+A significant differentiator across Surface Book 3 models is the GPU configuration. In addition to the integrated Intel GPU built into all models, all but the entry-level 13.5-inch Core i5 device also feature a discrete NVIDIA GPU with Max-Q Design, which incorporates features that optimize energy efficiency for mobile form factors.
+
Built into the keyboard base, the additional NVIDIA GPU provides advanced graphics rendering capabilities and comes in two primary configurations: GeForce® GTX® 1650/1660 Ti for consumers or creative professionals and Quadro RTX 3000 for creative professionals, engineers, and other business professionals who need advanced graphics or deep learning capabilities. This article also describes how to optimize app utilization of GPUs by specifying which apps should use the integrated iGPU versus the discrete NVIDIA GPU.
## Surface Book 3 GPUs
@@ -34,17 +34,17 @@ The integrated GPU (iGPU) included on all Surface Book 3 models incorporates a w
### NVIDIA GeForce GTX 1650
NVIDIA GeForce GTX 1650 with Max-Q design delivers a major upgrade of the core streaming multiprocessor to more efficiently handle the complex graphics of modern games. Its
-concurrent execution of floating point and integer operations boosts performance in compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity.
+concurrent execution of floating point and integer operations boosts performance in the compute-heavy workloads of modern games. A new unified memory architecture with twice the cache of its predecessor allows for better performance on complex modern games. New shading advancements improve performance, enhance image quality, and deliver new levels of geometric complexity.
### NVIDIA GeForce GTX 1660 Ti
Compared with the GeForce GTX 1650, the faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements and includes the new and upgraded NVIDIA Encoder, making it better for consumers, gamers, live streamers, and creative professionals.
-
+
Thanks to 6 GB of GDDR6 graphics memory, Surface Book 3 models equipped with NVIDIA GeForce GTX 1660 TI provide superior speeds on advanced business productivity software and popular games especially when running the most modern titles or livestreaming. With an optional 2 TB SSD (available in U.S. only), the 15-inch model with GeForce GTX 1660 Ti delivers the most storage of any Surface Book 3 device.
### NVIDIA Quadro RTX 3000
-NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the world’s most advanced software, Quadro drivers are optimized for professional applications, and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability.
+NVIDIA Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance. A combination of 30 RT cores, 240 tensor cores, and 6 GB of GDDR6 graphics memory enables multiple advanced workloads including Al-powered workflows, 3D content creation, advanced video editing, professional broadcasting, and multi-app workflows. Enterprise level hardware and software support integrate deployment tools to maximize uptime and minimize IT support requirements. Certified for the world’s most advanced software, Quadro drivers are optimized for professional applications and are tuned, tested, and validated to provide app certification, enterprise level stability, reliability, availability, and support with extended product availability.
## Comparing GPUs across Surface Book 3
@@ -53,7 +53,7 @@ NVIDIA GPUs provide users with great performance for gaming, live streaming, and
- RTX acceleration for ray tracing and AI. This makes it possible to render film-quality, photorealistic objects and environments with physically accurate shadows, reflections and refractions. And its hardware accelerated AI capabilities means the advanced AI-based features in popular applications can run faster than ever before.
- Enterprise-level hardware, drivers and support, as well as ISV app certifications.
-- IT management features including an additional layer of dedicated enterprise tools for remote management that help maximize uptime and minimize IT support requirements.
+- IT management features including an additional layer of dedicated enterprise tools for remote management that help maximize uptime and minimize IT support requirements.
Unless you count yourself among the ranks of advanced engineering, design, architecture, or data science professionals, Surface Book 3 equipped with NVIDIA GeForce graphics capabilities will likely meet your needs. Conversely, if you’re already in -- or aspiring to join -- a profession that requires highly advanced graphics capabilities in a portable form factor that lets you work from anywhere, Surface Book 3 with Quadro RTX 3000 deserves serious consideration. To learn more, refer to the Surface Book 3 Quadro RTX 3000 technical overview.
@@ -61,13 +61,12 @@ NVIDIA GPUs provide users with great performance for gaming, live streaming, and
| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
| -------------------- | -------------------------------------- | -------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
-| **Target users** | Gamers, hobbyists and online creators | Gamers, creative professionals and online creators | Creative professionals, architects, engineers, developers, data scientists |
+| **Target users** | Gamers, hobbyists, and online creators | Gamers, creative professionals, and online creators | Creative professionals, architects, engineers, developers, data scientists |
| **Workflows** | Graphic design
Photography
Video | Graphic design
Photography
Video | Al-powered Workflows
App certifications
High-res video
Pro broadcasting
Multi-app workflows |
| **Key apps** | Adobe Creative Suite | Adobe Creative Suite | Adobe Creative Suite
Autodesk AutoCAD
Dassault Systemes SolidWorks |
| **GPU acceleration** | Video and image processing | Video and image processing | Ray tracing + AI + 6K video
Pro broadcasting features
Enterprise support |
-
-
+
**Table 2. GPU tech specs on Surface Book 3**
| | **GeForce GTX 1650** | **GeForce GTX 1660 Ti** | **Quadro RTX 3000** |
@@ -92,11 +91,11 @@ NVIDIA GPUs provide users with great performance for gaming, live streaming, and
| **High-bandwidth Digital Content Protection (HDCP) 2.2** | Yes | Yes | Yes |
| **NVIDIA GPU Boost** | Yes | Yes | Yes |
-
+
1. *Recommended*
2. *Supported*
-## Optimizing power and performance on Surface Book 3
+## Optimizing power and performance on Surface Book 3
Windows 10 includes a Battery Saver mode with a performance slider that lets you maximize app performance (by sliding it to the right) or preserve battery life (by sliding it to the left). Surface Book 3 implements this functionality algorithmically to optimize power and performance across the following components:
@@ -106,7 +105,7 @@ Windows 10 includes a Battery Saver mode with a performance slider that lets you
- Processor IA Turbo limitations.
By default, when the battery drops below 20 percent, the Battery Saver adjusts settings to extend battery life. When connected to power, Surface Book 3 defaults to “Best Performance” settings to ensure apps run in high performance mode on the secondary NVIDIA GPU present on all i7 Surface Book 3 systems.
-
+
Using default settings is recommended for optimal performance when used as a laptop or detached in tablet or studio mode. You can access Battery Saver by selecting the battery icon on the far right of the taskbar.
### Game mode
@@ -115,14 +114,14 @@ Surface Book 3 includes a new game mode that automatically selects maximum perfo
### Safe Detach
-New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU.
+New in Surface Book 3, apps enabled for Safe Detach let you disconnect while the app is using the GPU. For supported apps like *World of Warcraft*, your work is moved to the iGPU.
### Modifying app settings to always use a specific GPU
You can switch between the power-saving but still capable built-in Intel graphics and the more powerful discrete NVIDIA GPU and associate a GPU with a specific app. By default, Windows 10 automatically chooses the appropriate GPU, assigning graphically demanding apps to the discrete NVIDIA GPU. In most instances there is no need to manually adjust these settings. However, if you frequently detach and reattach the display from the keyboard base while using a graphically demanding app, you’ll typically need to close the app prior to detaching. To enable continuous use of the app without having to close it every time you detach or reattach the display, you can assign it to the integrated GPU, albeit with some loss of graphics performance.
-
+
In some instances, Windows 10 may assign a graphically demanding app to be iGPU; for example, if the app is not fully optimized for hybrid graphics. To remedy this, you can manually assign the app to the discrete NVIDIA GPU.
-
+
**To configure apps using custom per-GPU options:**
1. Go to **Settings** > **System** > **Display** and select **Graphics Settings**.
@@ -157,7 +156,7 @@ In some instances, Windows 10 may assign a graphically demanding app to be iGPU;
## Summary
-Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
+Built for performance, Surface Book 3 includes different GPU configurations optimized to meet specific workload and use requirements. An integrated Intel Iris graphics GPU functions as the sole GPU on the entry-level Core i5 device and as a secondary GPU on all other models. GeForce GTX 1650 features a major upgrade of the core streaming multiprocessor to run complex graphics more efficiently. The faster GeForce GTX 1660 Ti provides Surface Book 3 with additional performance improvements making it better for consumers, gamers, live streamers, and creative professionals. Quadro RTX 3000 unlocks several key features for professional users: ray tracing rendering and AI acceleration, and advanced graphics and compute performance.
## Learn more
diff --git a/windows/client-management/mdm/policy-csp-userrights.md b/windows/client-management/mdm/policy-csp-userrights.md
index c7f5dc6a0a..69a0f091d0 100644
--- a/windows/client-management/mdm/policy-csp-userrights.md
+++ b/windows/client-management/mdm/policy-csp-userrights.md
@@ -18,9 +18,11 @@ manager: dansimp
-User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. Here is a list for reference, [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx). Even though strings are supported for well-known accounts and groups, it is better to use SIDs because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.
+User rights are assigned for user accounts or groups. The name of the policy defines the user right in question, and the values are always users or groups. Values can be represented as SIDs or strings. For reference, see [Well-Known SID Structures](https://msdn.microsoft.com/library/cc980032.aspx).
-Here is an example syncml for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.
+Even though strings are supported for well-known accounts and groups, it is better to use SIDs, because strings are localized for different languages. Some user rights allow things like AccessFromNetwork, while others disallow things, like DenyAccessFromNetwork.
+
+Here is an example for setting the user right BackupFilesAndDirectories for Administrators and Authenticated Users groups.
```xml
@@ -46,44 +48,46 @@ Here is an example syncml for setting the user right BackupFilesAndDirectories f
Here are examples of data fields. The encoded 0xF000 is the standard delimiter/separator.
-- Grant an user right to Administrators group via SID:
- ```
+- Grant a user right to Administrators group via SID:
+ ```xml
*S-1-5-32-544
```
-- Grant an user right to multiple groups (Administrators, Authenticated Users) via SID
- ```
+- Grant a user right to multiple groups (Administrators, Authenticated Users) via SID:
+ ```xml
*S-1-5-32-544*S-1-5-11
```
-- Grant an user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings
- ```
+- Grant a user right to multiple groups (Administrators, Authenticated Users) via a mix of SID and Strings:
+ ```xml
*S-1-5-32-544Authenticated Users
```
-- Grant an user right to multiple groups (Authenticated Users, Administrators) via strings
- ```
+- Grant a user right to multiple groups (Authenticated Users, Administrators) via strings:
+ ```xml
Authenticated UsersAdministrators
```
-- Empty input indicates that there are no users configured to have that user right
- ```
+- Empty input indicates that there are no users configured to have that user right:
+ ```xml
```
+
If you use Intune custom profiles to assign UserRights policies, you must use the CDATA tag (``) to wrap the data fields. You can specify one or more user groups within the CDATA tag by using 0xF000 as the delimiter/separator.
-> [!Note]
+> [!NOTE]
> `` is the entity encoding of 0xF000.
For example, the following syntax grants user rights to Authenticated Users and Replicator user groups:
-```
+
+```xml
```
-## UserRights policies
+## UserRights policies
-
@@ -179,7 +183,7 @@ For example, the following syntax grants user rights to Authenticated Users and
-**UserRights/AccessCredentialManagerAsTrustedCaller**
+**UserRights/AccessCredentialManagerAsTrustedCaller**
@@ -193,19 +197,19 @@ For example, the following syntax grants user rights to Authenticated Users and
| Pro |
-  4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -226,7 +230,7 @@ This user right is used by Credential Manager during Backup/Restore. No accounts
-GP Info:
+GP Info:
- GP English name: *Access Credential Manager as a trusted caller*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -236,7 +240,7 @@ GP Info:
-**UserRights/AccessFromNetwork**
+**UserRights/AccessFromNetwork**
@@ -250,19 +254,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -279,11 +283,13 @@ GP Info:
-This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.Note: Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
+This user right determines which users and groups are allowed to connect to the computer over the network. Remote Desktop Services are not affected by this user right.
+> [!NOTE]
+> Remote Desktop Services was called Terminal Services in previous versions of Windows Server.
-GP Info:
+GP Info:
- GP English name: *Access this computer from the network*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -293,7 +299,7 @@ GP Info:
-**UserRights/ActAsPartOfTheOperatingSystem**
+**UserRights/ActAsPartOfTheOperatingSystem**
@@ -307,19 +313,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -336,11 +342,13 @@ GP Info:
-This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user. Processes that require this privilege should use the LocalSystem account, which already includes this privilege, rather than using a separate user account with this privilege specially assigned.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Act as part of the operating system*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -350,7 +358,7 @@ GP Info:
-**UserRights/AllowLocalLogOn**
+**UserRights/AllowLocalLogOn**
@@ -364,19 +372,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -393,11 +401,13 @@ GP Info:
-This user right determines which users can log on to the computer. Note: Modifying this setting may affect compatibility with clients, services, and applications. For compatibility information about this setting, see Allow log on locally (https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
+This user right determines which users can log on to the computer.
+> [!NOTE]
+> Modifying this setting might affect compatibility with clients, services, and applications. For compatibility information about this setting, see [Allow log on locally](https://go.microsoft.com/fwlink/?LinkId=24268 ) at the Microsoft website.
-GP Info:
+GP Info:
- GP English name: *Allow log on locally*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -407,7 +417,7 @@ GP Info:
-**UserRights/BackupFilesAndDirectories**
+**UserRights/BackupFilesAndDirectories**
@@ -421,19 +431,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -450,11 +460,13 @@ GP Info:
-This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories.Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Read. Caution: Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, only assign this user right to trusted users
+This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when backing up files and directories. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Read.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Since users with this user right can read any registry settings and files, assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Back up files and directories*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -464,7 +476,7 @@ GP Info:
-**UserRights/ChangeSystemTime**
+**UserRights/ChangeSystemTime**
@@ -478,19 +490,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -511,7 +523,7 @@ This user right determines which users and groups can change the time and date o
-GP Info:
+GP Info:
- GP English name: *Change the system time*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -521,7 +533,7 @@ GP Info:
-**UserRights/CreateGlobalObjects**
+**UserRights/CreateGlobalObjects**
@@ -535,19 +547,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -564,11 +576,13 @@ GP Info:
-This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption. Caution: Assigning this user right can be a security risk. Assign this user right only to trusted users.
+This security setting determines whether users can create global objects that are available to all sessions. Users can still create objects that are specific to their own session if they do not have this user right. Users who can create global objects could affect processes that run under other users' sessions, which could lead to application failure or data corruption.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Create global objects*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -578,7 +592,7 @@ GP Info:
-**UserRights/CreatePageFile**
+**UserRights/CreatePageFile**
@@ -592,19 +606,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -621,11 +635,11 @@ GP Info:
-This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users
+This user right determines which users and groups can call an internal application programming interface (API) to create and change the size of a page file. This user right is used internally by the operating system and usually does not need to be assigned to any users.
-GP Info:
+GP Info:
- GP English name: *Create a pagefile*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -635,7 +649,7 @@ GP Info:
-**UserRights/CreatePermanentSharedObjects**
+**UserRights/CreatePermanentSharedObjects**
@@ -649,19 +663,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -682,7 +696,7 @@ This user right determines which accounts can be used by processes to create a d
-GP Info:
+GP Info:
- GP English name: *Create permanent shared objects*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -692,7 +706,7 @@ GP Info:
-**UserRights/CreateSymbolicLinks**
+**UserRights/CreateSymbolicLinks**
@@ -706,19 +720,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -735,11 +749,15 @@ GP Info:
-This user right determines if the user can create a symbolic link from the computer he is logged on to. Caution: This privilege should only be given to trusted users. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them. Note: This setting can be used in conjunction a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
+This user right determines if the user can create a symbolic link from the computer he is logged on to.
+> [!CAUTION]
+> This privilege should be given to trusted users only. Symbolic links can expose security vulnerabilities in applications that aren't designed to handle them.
+> [!NOTE]
+> This setting can be used in conjunction with a symlink filesystem setting that can be manipulated with the command line utility to control the kinds of symlinks that are allowed on the machine. Type 'fsutil behavior set symlinkevaluation /?' at the command line to get more information about fsutil and symbolic links.
-GP Info:
+GP Info:
- GP English name: *Create symbolic links*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -749,7 +767,7 @@ GP Info:
-**UserRights/CreateToken**
+**UserRights/CreateToken**
@@ -763,19 +781,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -792,11 +810,13 @@ GP Info:
-This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+This user right determines which accounts can be used by processes to create a token that can then be used to get access to any local resources when the process uses an internal application programming interface (API) to create an access token. This user right is used internally by the operating system. Unless it is necessary, do not assign this user right to a user, group, or process other than Local System.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-GP Info:
+GP Info:
- GP English name: *Create a token object*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -806,7 +826,7 @@ GP Info:
-**UserRights/DebugPrograms**
+**UserRights/DebugPrograms**
@@ -820,19 +840,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -849,11 +869,13 @@ GP Info:
-This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components. Caution:Assigning this user right can be a security risk. Only assign this user right to trusted users.
+This user right determines which users can attach a debugger to any process or to the kernel. Developers who are debugging their own applications do not need to be assigned this user right. Developers who are debugging new system components will need this user right to be able to do so. This user right provides complete access to sensitive and critical operating system components.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Debug programs*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -863,7 +885,7 @@ GP Info:
-**UserRights/DenyAccessFromNetwork**
+**UserRights/DenyAccessFromNetwork**
@@ -877,19 +899,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -910,7 +932,7 @@ This user right determines which users are prevented from accessing a computer o
-GP Info:
+GP Info:
- GP English name: *Deny access to this computer from the network*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -920,7 +942,7 @@ GP Info:
-**UserRights/DenyLocalLogOn**
+**UserRights/DenyLocalLogOn**
@@ -934,19 +956,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -963,11 +985,13 @@ GP Info:
-This security setting determines which service accounts are prevented from registering a process as a service. Note: This security setting does not apply to the System, Local Service, or Network Service accounts.
+This security setting determines which service accounts are prevented from registering a process as a service.
+> [!NOTE]
+> This security setting does not apply to the System, Local Service, or Network Service accounts.
-GP Info:
+GP Info:
- GP English name: *Deny log on as a service*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -977,7 +1001,7 @@ GP Info:
-**UserRights/DenyRemoteDesktopServicesLogOn**
+**UserRights/DenyRemoteDesktopServicesLogOn**
@@ -991,19 +1015,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1020,11 +1044,11 @@ GP Info:
-This user right determines which users and groups are prohibited from logging on as a Remote Desktop Services client.
+This user right determines which users and groups are prohibited from logging on as Remote Desktop Services clients.
-GP Info:
+GP Info:
- GP English name: *Deny log on through Remote Desktop Services*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1034,7 +1058,7 @@ GP Info:
-**UserRights/EnableDelegation**
+**UserRights/EnableDelegation**
@@ -1048,19 +1072,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1077,11 +1101,13 @@ GP Info:
-This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set. Caution: Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
+This user right determines which users can set the Trusted for Delegation setting on a user or computer object. The user or object that is granted this privilege must have write access to the account control flags on the user or computer object. A server process running on a computer (or under a user context) that is trusted for delegation can access resources on another computer using delegated credentials of a client, as long as the client account does not have the Account cannot be delegated account control flag set.
+> [!CAUTION]
+> Misuse of this user right, or of the Trusted for Delegation setting, could make the network vulnerable to sophisticated attacks using Trojan horse programs that impersonate incoming clients and use their credentials to gain access to network resources.
-GP Info:
+GP Info:
- GP English name: *Enable computer and user accounts to be trusted for delegation*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1091,7 +1117,7 @@ GP Info:
-**UserRights/GenerateSecurityAudits**
+**UserRights/GenerateSecurityAudits**
@@ -1105,19 +1131,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1138,7 +1164,7 @@ This user right determines which accounts can be used by a process to add entrie
-GP Info:
+GP Info:
- GP English name: *Generate security audits*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1148,7 +1174,7 @@ GP Info:
-**UserRights/ImpersonateClient**
+**UserRights/ImpersonateClient**
@@ -1162,19 +1188,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1191,15 +1217,21 @@ GP Info:
-Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels. Caution: Assigning this user right can be a security risk. Only assign this user right to trusted users. Note: By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
+Assigning this user right to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Assign this user right to trusted users only.
+> [!NOTE]
+> By default, services that are started by the Service Control Manager have the built-in Service group added to their access tokens. Component Object Model (COM) servers that are started by the COM infrastructure and that are configured to run under a specific account also have the Service group added to their access tokens. As a result, these services get this user right when they are started. In addition, a user can also impersonate an access token if any of the following conditions exist.
1) The access token that is being impersonated is for this user.
2) The user, in this logon session, created the access token by logging on to the network with explicit credentials.
3) The requested level is less than Impersonate, such as Anonymous or Identify.
-Because of these factors, users do not usually need this user right. Warning: If you enable this setting, programs that previously had the Impersonate privilege may lose it, and they may not run.
+Because of these factors, users do not usually need this user right.
+> [!WARNING]
+> If you enable this setting, programs that previously had the Impersonate privilege might lose it, and they might not run.
-GP Info:
+GP Info:
- GP English name: *Impersonate a client after authentication*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1209,7 +1241,7 @@ GP Info:
-**UserRights/IncreaseSchedulingPriority**
+**UserRights/IncreaseSchedulingPriority**
@@ -1223,19 +1255,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1256,13 +1288,13 @@ This user right determines which accounts can use a process with Write Property
-GP Info:
+GP Info:
- GP English name: *Increase scheduling priority*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
-> [!Warning]
-> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
->
+> [!WARNING]
+> If you remove **Window Manager\Window Manager Group** from the **Increase scheduling priority** user right, certain applications and computers do not function correctly. In particular, the INK workspace does not function correctly on unified memory architecture (UMA) laptop and desktop computers that run Windows 10, version 1903 (or later) and that use the Intel GFX driver.
+>
> On affected computers, the display blinks when users draw on INK workspaces such as those that are used by Microsoft Edge, Microsoft PowerPoint, or Microsoft OneNote. The blinking occurs because the inking-related processes repeatedly try to use the Real-Time priority, but are denied permission.
@@ -1271,7 +1303,7 @@ GP Info:
-**UserRights/LoadUnloadDeviceDrivers**
+**UserRights/LoadUnloadDeviceDrivers**
@@ -1285,19 +1317,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1314,11 +1346,13 @@ GP Info:
-This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users. Caution: Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
+This user right determines which users can dynamically load and unload device drivers or other code in to kernel mode. This user right does not apply to Plug and Play device drivers. It is recommended that you do not assign this privilege to other users.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Do not assign this user right to any user, group, or process that you do not want to take over the system.
-GP Info:
+GP Info:
- GP English name: *Load and unload device drivers*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1328,7 +1362,7 @@ GP Info:
-**UserRights/LockMemory**
+**UserRights/LockMemory**
@@ -1342,19 +1376,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1371,11 +1405,11 @@ GP Info:
-This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege could significantly affect system performance by decreasing the amount of available random access memory (RAM).
+This user right determines which accounts can use a process to keep data in physical memory, which prevents the system from paging the data to virtual memory on disk. Exercising this privilege might significantly affect system performance by decreasing the amount of available random access memory (RAM).
-GP Info:
+GP Info:
- GP English name: *Lock pages in memory*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1385,7 +1419,7 @@ GP Info:
-**UserRights/ManageAuditingAndSecurityLog**
+**UserRights/ManageAuditingAndSecurityLog**
@@ -1399,19 +1433,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1428,11 +1462,11 @@ GP Info:
-This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege can also view and clear the security log.
+This user right determines which users can specify object access auditing options for individual resources, such as files, Active Directory objects, and registry keys. This security setting does not allow a user to enable file and object access auditing in general. You can view audited events in the security log of the Event Viewer. A user with this privilege also can view and clear the security log.
-GP Info:
+GP Info:
- GP English name: *Manage auditing and security log*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1442,7 +1476,7 @@ GP Info:
-**UserRights/ManageVolume**
+**UserRights/ManageVolume**
@@ -1456,19 +1490,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1489,7 +1523,7 @@ This user right determines which users and groups can run maintenance tasks on a
-GP Info:
+GP Info:
- GP English name: *Perform volume maintenance tasks*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1499,7 +1533,7 @@ GP Info:
-**UserRights/ModifyFirmwareEnvironment**
+**UserRights/ModifyFirmwareEnvironment**
@@ -1513,19 +1547,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1542,11 +1576,13 @@ GP Info:
-This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor.On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should only be modified by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.Note: This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
+This user right determines who can modify firmware environment values. Firmware environment variables are settings stored in the nonvolatile RAM of non-x86-based computers. The effect of the setting depends on the processor. On x86-based computers, the only firmware environment value that can be modified by assigning this user right is the Last Known Good Configuration setting, which should be modified only by the system. On Itanium-based computers, boot information is stored in nonvolatile RAM. Users must be assigned this user right to run bootcfg.exe and to change the Default Operating System setting on Startup and Recovery in System Properties. On all computers, this user right is required to install or upgrade Windows.
+> [!NOTE]
+> This security setting does not affect who can modify the system environment variables and user environment variables that are displayed on the Advanced tab of System Properties.
-GP Info:
+GP Info:
- GP English name: *Modify firmware environment values*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1556,7 +1592,7 @@ GP Info:
-**UserRights/ModifyObjectLabel**
+**UserRights/ModifyObjectLabel**
@@ -1570,19 +1606,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1603,7 +1639,7 @@ This user right determines which user accounts can modify the integrity label of
-GP Info:
+GP Info:
- GP English name: *Modify an object label*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1613,7 +1649,7 @@ GP Info:
-**UserRights/ProfileSingleProcess**
+**UserRights/ProfileSingleProcess**
@@ -1627,19 +1663,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1660,7 +1696,7 @@ This user right determines which users can use performance monitoring tools to m
-GP Info:
+GP Info:
- GP English name: *Profile single process*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1670,7 +1706,7 @@ GP Info:
-**UserRights/RemoteShutdown**
+**UserRights/RemoteShutdown**
@@ -1684,19 +1720,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1717,7 +1753,7 @@ This user right determines which users are allowed to shut down a computer from
-GP Info:
+GP Info:
- GP English name: *Force shutdown from a remote system*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1727,7 +1763,7 @@ GP Info:
-**UserRights/RestoreFilesAndDirectories**
+**UserRights/RestoreFilesAndDirectories**
@@ -1741,19 +1777,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1770,11 +1806,13 @@ GP Info:
-This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system:Traverse Folder/Execute File, Write. Caution: Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, only assign this user right to trusted users.
+This user right determines which users can bypass file, directory, registry, and other persistent objects permissions when restoring backed up files and directories, and it determines which users can set any valid security principal as the owner of an object. Specifically, this user right is similar to granting the following permissions to the user or group in question on all files and folders on the system: Traverse Folder/Execute File, Write.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Since users with this user right can overwrite registry settings, hide data, and gain ownership of system objects, assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Restore files and directories*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1784,7 +1822,7 @@ GP Info:
-**UserRights/TakeOwnership**
+**UserRights/TakeOwnership**
@@ -1798,19 +1836,19 @@ GP Info:
| Pro |
- 4 |
+ 1 |
| Business |
- 4 |
+ 1 |
| Enterprise |
- 4 |
+ 1 |
| Education |
- 4 |
+ 1 |
@@ -1827,11 +1865,13 @@ GP Info:
-This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads. Caution: Assigning this user right can be a security risk. Since owners of objects have full control of them, only assign this user right to trusted users.
+This user right determines which users can take ownership of any securable object in the system, including Active Directory objects, files and folders, printers, registry keys, processes, and threads.
+> [!CAUTION]
+> Assigning this user right can be a security risk. Since owners of objects have full control of them, assign this user right to trusted users only.
-GP Info:
+GP Info:
- GP English name: *Take ownership of files or other objects*
- GP path: *Windows Settings/Security Settings/Local Policies/User Rights Assignment*
@@ -1849,6 +1889,4 @@ Footnotes:
- 6 - Added in Windows 10, version 1903.
- 7 - Added in Windows 10, version 1909.
- 8 - Added in Windows 10, version 2004.
-
-
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index e114e9f5ec..8510d7574e 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -116,7 +116,7 @@ To trigger a remote Windows Autopilot Reset via Intune, follow these steps:
- Select **Autopilot Reset** to kick-off the reset task.
>[!NOTE]
->The Autopilot Reset option will not be enabled in Microsoft Intune for devices not running Windows 10 build 17672 or higher.
+>The Autopilot Reset option will only be enabled in Microsoft Intune for devices running Windows 10 build 17672 or higher.
>[!IMPORTANT]
>The feature for Autopilot Reset will stay grayed out, **unless** you reset the device using Autopilot (either using Fresh Reset or manually sysprep the device).
diff --git a/windows/privacy/manage-windows-2004-endpoints.md b/windows/privacy/manage-windows-2004-endpoints.md
index 75e9aa6738..73e8c9e0fd 100644
--- a/windows/privacy/manage-windows-2004-endpoints.md
+++ b/windows/privacy/manage-windows-2004-endpoints.md
@@ -53,7 +53,7 @@ The following methodology was used to derive these network endpoints:
||The following endpoint is used for the Weather app. To turn off traffic for this endpoint, either uninstall the Weather app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|tile-service.weather.microsoft.com
||The following endpoint is used for OneNote Live Tile. To turn off traffic for this endpoint, either uninstall OneNote or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|HTTPS|cdn.onenote.net/*
||The following endpoint is used by the Photos app to download configuration files, and to connect to the Office 365 portal's shared infrastructure, including Office in a browser. To turn off traffic for this endpoint, either uninstall the Photos app or disable the Microsoft Store. If you disable the Microsoft store, other Store apps cannot be installed or updated. Additionally, the Microsoft Store won't be able to revoke malicious Store apps and users will still be able to open them.|TLSv1.2|evoke-windowsservices-tas.msedge.net|
-|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible turn off traffic to this endpoint, but that is not recommended because when root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
+|Certificates|The following endpoint is used by the Automatic Root Certificates Update component to automatically check the list of trusted authorities on Windows Update to see if an update is available. It is possible to turn off traffic to this endpoint, but it is not recommended because as root certificates are updated over time, applications and websites may stop working because they did not receive an updated root certificate the application uses. Additionally, it is used to download certificates that are publicly known to be fraudulent. These settings are critical for both Windows security and the overall security of the Internet. We do not recommend blocking this endpoint. If traffic to this endpoint is turned off, Windows no longer automatically downloads certificates known to be fraudulent, which increases the attack vector on the device.||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#automatic-root-certificates-update)|
|||HTTP|ctldl.windowsupdate.com|
|Cortana and Search|||[Learn how to turn off traffic to all of the following endpoint(s).](manage-connections-from-windows-operating-system-components-to-microsoft-services.md#bkmk-cortana)|
||The following endpoints are related to Cortana and Live Tiles. If you turn off traffic for this endpoint, you will block updates to Cortana greetings, tips, and Live Tiles.|TLSv1.2|www.bing.com*|
diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
index 2ec659113a..de3c6cfb93 100644
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@@ -30,7 +30,7 @@ For a list of the cmdlets and their functions and available parameters, see the
PowerShell cmdlets are most useful in Windows Server environments that don't rely on a graphical user interface (GUI) to configure software.
> [!NOTE]
-> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/100591).
+> PowerShell cmdlets should not be used as a replacement for a full network policy management infrastructure, such as [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr), [Group Policy Management Console](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), or [Microsoft Defender Antivirus Group Policy ADMX templates](https://www.microsoft.com/download/101445).
Changes made with PowerShell will affect local settings on the endpoint where the changes are deployed or made. This means that deployments of policy with Group Policy, Microsoft Endpoint Configuration Manager, or Microsoft Intune can overwrite changes made with PowerShell.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
index 3bbf64e500..8923860ea6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements.md
@@ -93,6 +93,10 @@ The hardware requirements for Microsoft Defender ATP on machines is the same as
> [!NOTE]
> Machines running mobile versions of Windows are not supported.
+>
+> Virtual Machines running Windows 10 Enterprise 2016 LTSC (which is based on Windows 10, version 1607) may encounter performance issues if run on non-Microsoft virtualization platforms.
+>
+> For virtual environments, we recommend using Windows 10 Enterprise LTSC 2019 (which is based on Windows 10, version 1809) or later.
### Other supported operating systems
diff --git a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
index b4b27d638f..5e1fd0cad0 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/post-ti-indicator.md
@@ -29,7 +29,7 @@ Submits or Updates new [Indicator](ti-indicator.md) entity.
## Limitations
1. Rate limitations for this API are 100 calls per minute and 1500 calls per hour.
-2. There is a limit of 5,000 active indicators per tenant.
+2. There is a limit of 15,000 active indicators per tenant.
## Permissions
@@ -102,4 +102,4 @@ Content-type: application/json
```
## Related topic
-- [Manage indicators](manage-indicators.md)
\ No newline at end of file
+- [Manage indicators](manage-indicators.md)
diff --git a/windows/security/threat-protection/microsoft-defender-atp/preview.md b/windows/security/threat-protection/microsoft-defender-atp/preview.md
index 87e4748efa..06b2eb8dec 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/preview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/preview.md
@@ -47,7 +47,6 @@ Turn on the preview experience setting to be among the first to try upcoming fea
## Preview features
The following features are included in the preview release:
-- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
- [Create indicators for certificates](manage-indicators.md)
Create indicators to allow or block certificates.
diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 963c08c5ff..e92f68d8a9 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -35,6 +35,11 @@ For more information preview features, see [Preview features](https://docs.micro
> https://docs.microsoft.com/api/search/rss?search=%22Microsoft+Defender+ATP+as+well+as+security+features+in+Windows+10+and+Windows+Server.%22&locale=en-us
> ```
+
+## June 2020
+- [Attack simulators in the evaluation lab](evaluation-lab.md#threat-simulator-scenarios)
Microsoft Defender ATP has partnered with various threat simulation platforms to give you convenient access to test the capabilities of the platform right from the within the portal.
+
+
## April 2020
- [Threat & Vulnerability Management API support](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/exposed-apis-list)
Run Threat & Vulnerability Management-related API calls such as get your organization's threat exposure score or device secure score, software and machine vulnerability inventory, software version distribution, machine vulnerability information, security recommendation information. Learn more from this [Microsoft Tech Community blog post](https://techcommunity.microsoft.com/t5/microsoft-defender-atp/threat-amp-vulnerability-management-apis-are-now-generally/ba-p/1304615).