From 460d37022764980da20a3ffc52b249c316a3a703 Mon Sep 17 00:00:00 2001 From: Mattias Borg Date: Fri, 27 Oct 2017 11:47:36 +0200 Subject: [PATCH 1/7] Update use-windows-event-forwarding-to-assist-in-instrusion-detection.md --- ...-event-forwarding-to-assist-in-instrusion-detection.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md index 5142227854..658e3fcaf7 100644 --- a/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md +++ b/windows/threat-protection/use-windows-event-forwarding-to-assist-in-instrusion-detection.md @@ -606,9 +606,9 @@ Here are the minimum steps for WEF to operate: - + *[EventData[Data[@Name="QueryOptions"]="140737488355328"]] - + *[EventData[Data[@Name="QueryResults"]=""]] @@ -636,7 +636,7 @@ Here are the minimum steps for WEF to operate: - + @@ -650,4 +650,4 @@ You can get more info with the following links: - [Event Query Schema](http://msdn.microsoft.com/library/aa385760.aspx) - [Windows Event Collector](http://msdn.microsoft.com/library/windows/desktop/bb427443.aspx) -Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). \ No newline at end of file +Not finding content you need? Windows 10 users, tell us what you want on [Feedback Hub](feedback-hub://?referrer=techDocsUcPage&tabid=2&contextid=897&newFeedback=true&topic=use-windows-event-forwarding-to-assist-in-instrusion-detection.md). From 8621ed3d73e8aa58d67a4c5f8b15e1c98b41cd06 Mon Sep 17 00:00:00 2001 From: jvheaton Date: Wed, 1 Nov 2017 15:38:55 -0700 Subject: [PATCH 2/7] Update credentials spelling --- ...fferences-between-surface-hub-and-windows-10-enterprise.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md index 8a85487527..d1a52c56b3 100644 --- a/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md +++ b/devices/surface-hub/differences-between-surface-hub-and-windows-10-enterprise.md @@ -32,7 +32,7 @@ Surface Hub doesn't have a lock screen or a screen saver, but it has a similar f ### User sign-in -Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those crednetials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS). +Surface Hub is designed to be used in communal spaces, such as meeting rooms. Unlike Windows PCs, anyone can walk up and use a Surface Hub without requiring a user to sign in. To enable this communal functionality, Surface Hub does not support Windows sign-in the same way that Windows 10 Enterprise does (e.g., signing in a user to the OS and using those credentials throughout the OS). Instead, there is always a local, auto signed-in, low-privilege user signed in to the Surface Hub. It doesn't support signing in any additional users, including admin users (e.g., when an admin signs in, they are not signed in to the OS). Users can sign in to a Surface Hub, but they will not be signed in to the OS. For example, when a user signs in to Apps or My Meetings and Files, the users is signed in only to the apps or services, not to the OS. As a result, the signed-in user is able to retrieve their cloud files and personal meetings stored in the cloud, and these credentials are discarded when **End session** is activated. @@ -168,4 +168,4 @@ Users can sign in to Microsoft Edge to access intranet sites and online resource The Surface Hub OS uses the Windows 10 Connected User Experience and Telemetry component to gather and transmit telemetry data. For more information, see [Configure Windows telemetry in your organization](https://technet.microsoft.com/itpro/windows/manage/configure-windows-telemetry-in-your-organization). -*Organization policies that this may affect:*
Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise. \ No newline at end of file +*Organization policies that this may affect:*
Configure telemetry levels for Surface Hub in the same way as you do for Windows 10 Enterprise. From 937db704b9148e9cee7c7010cad4d00ce9c4fdad Mon Sep 17 00:00:00 2001 From: Matt Graeber Date: Thu, 2 Nov 2017 10:30:11 -0700 Subject: [PATCH 3/7] Adding runscripthelper.exe to the blacklist ruleset Reference for the runscripthelper.exe bypass: https://posts.specterops.io/bypassing-application-whitelisting-with-runscripthelper-exe-1906923658fc Also giving credit to Lee Christensen for his visualuiaverifynative.exe bypass contribution. --- .../device-guard/deploy-code-integrity-policies-steps.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md index 47d2848249..f5c907daf3 100644 --- a/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md +++ b/windows/device-security/device-guard/deploy-code-integrity-policies-steps.md @@ -73,6 +73,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you |Matt Nelson | @enigma0x3| |Oddvar Moe |@Oddvarmoe| |Alex Ionescu | @aionescu| +|Lee Christensen|@tifkin_|
@@ -134,6 +135,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + @@ -418,6 +420,7 @@ Microsoft recommends that you block the following Microsoft-signed applications + From 0db0e752118f308807a455701b55947b42978473 Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 09:20:28 -0800 Subject: [PATCH 4/7] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 00798f619b..0cf68cd835 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -22,7 +22,7 @@ Your environment needs the following hardware to run Windows Defender Applicatio |Hardware|Description| |--------|-----------| -|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| +|64-bit CPU|A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).| |CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_

**-AND-**

One of the following virtualization extensions for VBS:

VT-x (Intel)

**-OR-**

AMD-V| |Hardware memory|Microsoft recommends 8GB RAM for optimal performance| |Hard disk|5 GB free space, solid state disk (SSD) recommended| From 74ef1a6727d16115ad1a7d16b3498ebf849aae9c Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 10:22:26 -0800 Subject: [PATCH 5/7] Update reqs-wd-app-guard.md --- .../windows-defender-application-guard/reqs-wd-app-guard.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md index 00798f619b..bbc943fd7b 100644 --- a/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md @@ -17,6 +17,9 @@ ms.date: 08/11/2017 The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive. +>[!NOTE] +>Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. + ## Hardware requirements Your environment needs the following hardware to run Windows Defender Application Guard. From f739e7356dfb97a8281c09929949a031ab355226 Mon Sep 17 00:00:00 2001 From: chintanpatel Date: Tue, 7 Nov 2017 16:16:19 -0800 Subject: [PATCH 6/7] Update faq-wd-app-guard.md --- .../faq-wd-app-guard.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md index 634876b5b8..74e513ecbd 100644 --- a/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md +++ b/windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md @@ -19,6 +19,15 @@ Answering frequently asked questions about Windows Defender Application Guard (A ## Frequently Asked Questions +| | | +|---|----------------------------| +|**Q:** |Can I enable Application Guard on machines equipped with 4GB RAM?| +|**A:** |We recommend 8GB RAM for optimal performance but you may use the following registry values to enable Application Guard on machines that aren't meeting the recommended hardware configuration. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount - Default is 4 cores. | +||HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB - Default is 8GB.| +||HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB - Default is 5GB.| +
+ | | | |---|----------------------------| |**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?| From 927cba612505f356444b7c4b5e4a712af385e6d8 Mon Sep 17 00:00:00 2001 From: y0avb Date: Thu, 9 Nov 2017 16:33:29 +0100 Subject: [PATCH 7/7] remove line "see Surface Hub device account scripts in Script Center" As the url no longer exists. --- devices/surface-hub/prepare-your-environment-for-surface-hub.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/prepare-your-environment-for-surface-hub.md b/devices/surface-hub/prepare-your-environment-for-surface-hub.md index c2281921b1..8ad6bda6cb 100644 --- a/devices/surface-hub/prepare-your-environment-for-surface-hub.md +++ b/devices/surface-hub/prepare-your-environment-for-surface-hub.md @@ -68,7 +68,7 @@ Surface Hub interacts with a few different products and services. Depending on t A device account is an Exchange resource account that Surface Hub uses to display its meeting calendar, join Skype for Business calls, send email, and (optionally) to authenticate to Exchange. See [Create and test a device account](create-and-test-a-device-account-surface-hub.md) for details. -After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [Surface Hub device account scripts](https://gallery.technet.microsoft.com/scriptcenter/Surface-Hub-device-account-6db77696) in Script Center, or [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide. +After you've created your device account, to verify that it's setup correctly, run Surface Hub device account validation PowerShell scripts. For more information, see [PowerShell scripts for Surface Hub](appendix-a-powershell-scripts-for-surface-hub.md) later in this guide.