From f8a1ac00c59679cffefa274c482e30bdaf5062b4 Mon Sep 17 00:00:00 2001 From: Daniel Keer <4249262+thedxt@users.noreply.github.com> Date: Wed, 28 Jul 2021 13:09:12 -0600 Subject: [PATCH 1/9] Update user-account-control-group-policy-and-registry-key-settings.md crorecting ConsentPromptBehaviorUser default state is Prompt for credentials not Prompt for credentials on the secure desktop --- ...er-account-control-group-policy-and-registry-key-settings.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 130688534d..5bb9b7b708 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -32,7 +32,7 @@ There are 10 Group Policy settings that can be configured for User Account Contr | [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled | | [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled | | [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries | -| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop | +| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials | | [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)
Disabled (default for enterprise) | | [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled | | [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled | From b3109a3105b4bd1676648d1c4fa8fa6e688faa62 Mon Sep 17 00:00:00 2001 From: Daniel Keer <4249262+thedxt@users.noreply.github.com> Date: Wed, 28 Jul 2021 13:24:52 -0600 Subject: [PATCH 2/9] Update user-account-control-group-policy-and-registry-key-settings.md Correcting User Account Control: Behavior of the elevation prompt for standard users default. The default is Prompt for credentials --- ...-account-control-group-policy-and-registry-key-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md index 5bb9b7b708..6f65b3199e 100644 --- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md +++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md @@ -104,8 +104,8 @@ The **User Account Control: Behavior of the elevation prompt for standard users* The options are: - **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls. -- **Prompt for credentials on the secure desktop.** (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. -- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. +- **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege. ### User Account Control: Detect application installations and prompt for elevation From 4703174427b0cba0e07b8234680541473a4d10b7 Mon Sep 17 00:00:00 2001 From: Crimsonfox89 <40465227+Crimsonfox89@users.noreply.github.com> Date: Fri, 13 Aug 2021 21:44:12 +0100 Subject: [PATCH 3/9] Typo fix "to option to" -> "the option to" --- windows/deployment/update/waas-wu-settings.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md index c136773bec..eb37c09b3c 100644 --- a/windows/deployment/update/waas-wu-settings.md +++ b/windows/deployment/update/waas-wu-settings.md @@ -47,7 +47,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates. -[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates. +[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates. You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location). @@ -255,4 +255,4 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\ - [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md) - [Configure BranchCache for Windows 10 updates](waas-branchcache.md) - [Configure Windows Update for Business](waas-configure-wufb.md) -- [Manage device restarts after updates](waas-restart.md) \ No newline at end of file +- [Manage device restarts after updates](waas-restart.md) From 22e9c02cdec7a228305eece9ceb53c856ac20d23 Mon Sep 17 00:00:00 2001 From: Lovina Saldanha Date: Mon, 23 Aug 2021 22:33:33 +0530 Subject: [PATCH 4/9] updated-5358710 Kernel DMA++ for W11 - updated topics per task 5358710 --- .../encrypted-hard-drive.md | 3 +- .../kernel-dma-protection-for-thunderbolt.md | 7 ++-- .../secure-the-windows-10-boot-process.md | 39 ++++++++++--------- 3 files changed, 26 insertions(+), 23 deletions(-) diff --git a/windows/security/information-protection/encrypted-hard-drive.md b/windows/security/information-protection/encrypted-hard-drive.md index 1fc11d00d4..94d231d8f3 100644 --- a/windows/security/information-protection/encrypted-hard-drive.md +++ b/windows/security/information-protection/encrypted-hard-drive.md @@ -1,5 +1,5 @@ --- -title: Encrypted Hard Drive (Windows 10) +title: Encrypted Hard Drive (Windows) description: Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb ms.reviewer: @@ -17,6 +17,7 @@ ms.date: 04/02/2019 **Applies to** - Windows 10 +- Windows 11 - Windows Server 2022 - Windows Server 2019 - Windows Server 2016 diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 31fc1097a4..2a7cc852d6 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -1,5 +1,5 @@ --- -title: Kernel DMA Protection (Windows 10) +title: Kernel DMA Protection (Windows) description: Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. ms.prod: w10 ms.mktglfcycl: deploy @@ -19,6 +19,7 @@ ms.reviewer: **Applies to** - Windows 10 +- Windows 11 In Windows 10 version 1803, Microsoft introduced a new feature called Kernel DMA Protection to protect PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to externally accessible PCIe ports (e.g., Thunderbolt™ 3 ports and CFexpress). In Windows 10 version 1903, Microsoft expanded the Kernel DMA Protection support to cover internal PCIe ports (e.g., M.2 slots) @@ -92,7 +93,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if - Reboot into BIOS settings - Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - - Reboot system into Windows 10. + - Reboot system into Windows. >[!NOTE] > **Hyper-V - Virtualization Enabled in Firmware** is not available when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is displayed. This means that **Hyper-V - Virtualization Enabled in Firmware** is set to Yes and the **Hyper-V** Windows feature is enabled. Enabling Hyper-V virtualization in Firmware (IOMMU) is required to enable **Kernel DMA Protection**, even when the firmware has the flag of "ACPI Kernel DMA Protection Indicators" described in [Kernel DMA Protection (Memory Access Protection) for OEMs](/windows-hardware/design/device-experiences/oem-kernel-dma-protection). @@ -121,7 +122,7 @@ Please check the driver instance for the device you are testing. Some drivers ma ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping? -If the peripherals do have class drivers provided by Windows 10, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). +If the peripherals do have class drivers provided by Windows, please use these drivers on your systems. If there are no class drivers provided by Windows for your peripherals, please contact your peripheral vendor/driver vendor to update the driver to support [DMA Remapping](/windows-hardware/drivers/pci/enabling-dma-remapping-for-device-drivers). ### My system's Kernel DMA Protection is off. Can DMA-remapping for a specific device be turned on? diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 721ae1e1e3..45fc317aa9 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- title: Secure the Windows 10 boot process description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows 10 boot proces +keywords: trusted boot, windows 10 boot process ms.prod: w10 ms.mktglfcycl: Explore ms.pagetype: security @@ -22,16 +22,17 @@ ms.author: dansimp **Applies to:** - Windows 10 - Windows 8.1 +- Windows 11 The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows 10 has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. -Those are just some of the ways that Windows 10 protects you from malware. However, those security features protect you only after Windows 10 starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. +Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. -When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows 10 provides even better startup security than previous versions of Windows. +When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. -First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows 10 can protect you. +First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you. ## The threat: rootkits @@ -46,16 +47,16 @@ Different types of rootkits load during different phases of the startup process: - **Driver rootkits.** These kits pretend to be one of the trusted drivers that Windows uses to communicate with the PC hardware. ## The countermeasures -Windows 10 supports four features to help prevent rootkits and bootkits from loading during the startup process: +Windows supports four features to help prevent rootkits and bootkits from loading during the startup process: - **Secure Boot.** PCs with UEFI firmware and a Trusted Platform Module (TPM) can be configured to load only trusted operating system bootloaders. - **Trusted Boot.** Windows checks the integrity of every component of the startup process before loading it. - **Early Launch Anti-Malware (ELAM).** ELAM tests all drivers before they load and prevents unapproved drivers from loading. - **Measured Boot.** The PC’s firmware logs the boot process, and Windows can send it to a trusted server that can objectively assess the PC’s health. -Figure 1 shows the Windows 10 startup process. +Figure 1 shows the Windows startup process. -![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) +![Windows startup process](./images/dn168167.boot_process(en-us,MSDN.10).png) **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** @@ -68,10 +69,10 @@ When a PC starts, it first finds the operating system bootloader. PCs without Se When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true: -- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted. +- **The bootloader was signed using a trusted certificate.** In the case of PCs certified for Windows, the Microsoft® certificate is trusted. - **The user has manually approved the bootloader’s digital signature.** This allows the user to load non-Microsoft operating systems. -All x86-based Certified For Windows 10 PCs must meet several requirements related to Secure Boot: +All x86-based Certified For Windows PCs must meet several requirements related to Secure Boot: - They must have Secure Boot enabled by default. - They must trust Microsoft’s certificate (and thus any bootloader Microsoft has signed). @@ -80,30 +81,30 @@ All x86-based Certified For Windows 10 PCs must meet several requirements relat These requirements help protect you from rootkits while allowing you to run any operating system you want. You have three options for running non-Microsoft operating systems: -- **Use an operating system with a certified bootloader.** Because all Certified For Windows 10 PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows 10 PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . -- **Configure UEFI to trust your custom bootloader.** All Certified For Windows 10 PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. -- **Turn off Secure Boot.** All Certified For Windows 10 PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. +- **Use an operating system with a certified bootloader.** Because all Certified For Windows PCs must trust Microsoft’s certificate, Microsoft offers a service to analyze and sign any non-Microsoft bootloader so that it will be trusted by all Certified For Windows PCs. In fact, an [open source bootloader](http://mjg59.dreamwidth.org/20303.html) capable of loading Linux is already available. To begin the process of obtaining a certificate, go to . +- **Configure UEFI to trust your custom bootloader.** All Certified For Windows PCs allow you to trust a non-certified bootloader by adding a signature to the UEFI database, allowing you to run any operating system, including homemade operating systems. +- **Turn off Secure Boot.** All Certified For Windows PCs allow you to turn off Secure Boot so that you can run any software. This does not help protect you from bootkits, however. To prevent malware from abusing these options, the user must manually configure the UEFI firmware to trust a non-certified bootloader or to turn off Secure Boot. Software cannot change the Secure Boot settings. Like most mobile devices, ARM-based Certified For Windows RT devices, such as the Microsoft Surface RT device, are designed to run only Windows 8.1. Therefore, Secure Boot cannot be turned off, and you cannot load a different operating system. Fortunately, there is a large market of ARM devices designed to run other operating systems. ## Trusted Boot -Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 10 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. +Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally. ## Early Launch Anti-Malware Because Secure Boot has protected the bootloader and Trusted Boot has protected the Windows kernel, the next opportunity for malware to start is by infecting a non-Microsoft boot driver. Traditional anti-malware apps don’t start until after the boot drivers have been loaded, giving a rootkit disguised as a driver the opportunity to work. Early Launch Anti-Malware (ELAM) can load a Microsoft or non-Microsoft anti-malware driver before all non-Microsoft boot drivers and applications, thus continuing the chain of trust established by Secure Boot and Trusted Boot. Because the operating system hasn’t started yet, and because Windows needs to boot as quickly as possible, ELAM has a simple task: examine every boot driver and determine whether it is on the list of trusted drivers. If it’s not trusted, Windows won’t load it. -An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows 10) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps. +An ELAM driver isn’t a full-featured anti-malware solution; that loads later in the boot process. Windows Defender (included with Windows) supports ELAM, as does [Microsoft System Center 2012 Endpoint Protection](/lifecycle/products/microsoft-system-center-2012-endpoint-protection) and several non-Microsoft anti-malware apps. ## Measured Boot If a PC in your organization does become infected with a rootkit, you need to know about it. Enterprise anti-malware apps can report malware infections to the IT department, but that doesn’t work with rootkits that hide their presence. In other words, you can’t trust the client to tell you whether it’s healthy. As a result, PCs infected with rootkits appear to be healthy, even with anti-malware running. Infected PCs continue to connect to the enterprise network, giving the rootkit access to vast amounts of confidential data and potentially allowing the rootkit to spread across the internal network. -Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process: +Working with the TPM and non-Microsoft software, Measured Boot in Windows allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process: 1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app. 2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key. @@ -121,12 +122,12 @@ Figure 2 illustrates the Measured Boot and remote attestation process. **Figure 2. Measured Boot proves the PC’s health to a remote server** -Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](https://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/). +Windows includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it. For an example of such a tool, download the [TPM Platform Crypto-Provider Toolkit](https://research.microsoft.com/en-us/downloads/74c45746-24ad-4cb7-ba4b-0c6df2f92d5d/) from Microsoft Research or Microsoft Enterprise Security MVP Dan Griffin’s [Measured Boot Tool](http://mbt.codeplex.com/). -Measured Boot uses the power of UEFI, TPM, and Windows 10 to give you a way to confidently assess the trustworthiness of a client PC across the network. +Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to confidently assess the trustworthiness of a client PC across the network. ## Summary -Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows 10, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows 10, you can truly trust the integrity of your operating system. +Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources - [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) \ No newline at end of file From c42cfb833ad094ffe4d40ae1a4f7fa6caf3731ba Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Tue, 31 Aug 2021 15:06:03 -0700 Subject: [PATCH 5/9] Update secure-the-windows-10-boot-process.md --- .../secure-the-windows-10-boot-process.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 45fc317aa9..9776d72d6f 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -20,9 +20,10 @@ ms.author: dansimp # Secure the Windows 10 boot process **Applies to:** +- Windows 11 - Windows 10 - Windows 8.1 -- Windows 11 + The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. @@ -130,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources -- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) \ No newline at end of file +- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) From 72e29533aae2534118ca7e717155cd7d82c0cb3d Mon Sep 17 00:00:00 2001 From: Mandi Ohlinger Date: Tue, 31 Aug 2021 19:53:09 -0400 Subject: [PATCH 6/9] ADO 5367658: PM updates --- .../sideload-apps-in-windows-10.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/windows/application-management/sideload-apps-in-windows-10.md b/windows/application-management/sideload-apps-in-windows-10.md index 11defe4f8f..7edd100ef0 100644 --- a/windows/application-management/sideload-apps-in-windows-10.md +++ b/windows/application-management/sideload-apps-in-windows-10.md @@ -10,7 +10,7 @@ ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: mobile author: greg-lindsay -ms.date: 08/30/2021 +ms.date: 08/31/2021 ms.localizationpriority: medium --- @@ -21,7 +21,7 @@ ms.localizationpriority: medium > - Windows 10 > [!NOTE] -> As of Windows Insider Build 18956, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. +> Starting with Windows 10 2004, sideloading is enabled by default. You can deploy a signed package onto a device without a special configuration. Sideloading apps is when you install apps that aren't from an official source, such as the Microsoft store. Your organization may create its own apps, including line-of-business (LOB) apps. Many organizations create their own apps to solve problems unique to their business. @@ -59,7 +59,7 @@ Unmanaged devices are devices that are not managed by your organization. These d > To install an app on Windows 10 and later, you can: > > - [Install Windows 10 apps from a web page](/windows/msix/app-installer/installing-windows10-apps-web). -> - Users can double-click any `.APPX` or `.MSIX` package. +> - Users can double-click any `.msix` or `.appx` package. ### User interface @@ -90,7 +90,7 @@ Using Microsoft Intune, you can also enable sideloading apps on managed devices. This step installs the app certificate to the local device. Installing the certificate creates the trust between the app and the device. -1. Open the security certificate for the `.appx` package, and select **Install Certificate**. +1. Open the security certificate for the `.msix` package, and select **Install Certificate**. 2. On the **Certificate Import Wizard**, select **Local Machine**. @@ -102,6 +102,6 @@ This step installs the app certificate to the local device. Installing the certi ## Step 3: Install the app -From the folder with the `.appx` package, run the Windows PowerShell `Add-AppxPackage` command to install the `.appx` package. +From the folder with the `.msix` package, run the Windows PowerShell `Add-AppxPackage` command to install the `.msix` package. For more information on this command, see [Add-AppxPackage](/powershell/module/appx/add-appxpackage). From 4466a082bca38c76ae91d2796cb2b4f025139fd3 Mon Sep 17 00:00:00 2001 From: Alekhya Jupudi Date: Thu, 2 Sep 2021 11:46:05 +0530 Subject: [PATCH 7/9] Task - 5358645: Clean-up work Clean -up work and minor updates to improve acrolinx score. --- .../event-id-explanations.md | 2 +- .../event-tag-explanations.md | 2 +- ...ion-control-events-centrally-using-advanced-hunting.md | 2 +- ...nder-application-control-with-dynamic-code-security.md | 8 ++++---- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md index f8b093734a..a87cd17fec 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-id-explanations.md @@ -1,5 +1,5 @@ --- -title: Understanding Application Control event IDs (Windows 10) +title: Understanding Application Control event IDs (Windows) description: Learn what different Windows Defender Application Control event IDs signify. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb diff --git a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md index 9eb35220b5..f5d7d82e37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md +++ b/windows/security/threat-protection/windows-defender-application-control/event-tag-explanations.md @@ -1,5 +1,5 @@ --- -title: Understanding Application Control event tags (Windows 10) +title: Understanding Application Control event tags (Windows) description: Learn what different Windows Defender Application Control event tags signify. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb diff --git a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md index ed001ad80e..134acc8d1f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md +++ b/windows/security/threat-protection/windows-defender-application-control/querying-application-control-events-centrally-using-advanced-hunting.md @@ -1,5 +1,5 @@ --- -title: Query Application Control events with Advanced Hunting (Windows 10) +title: Query Application Control events with Advanced Hunting (Windows) description: Learn how to query Windows Defender Application Control events across your entire organization by using Advanced Hunting. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md index 9670e64011..f1f66a910c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-dynamic-code-security.md @@ -1,5 +1,5 @@ --- -title: Windows Defender Application Control and .NET Hardening (Windows 10) +title: Windows Defender Application Control and .NET Hardening (Windows) description: Dynamic Code Security is an application control feature that can verify code loaded by .NET at runtime. keywords: security, malware ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb @@ -21,14 +21,14 @@ ms.technology: mde # Windows Defender Application Control and .NET hardening Historically, Windows Defender Application Control (WDAC) has restricted the set of applications, libraries, and scripts that are allowed to run to those approved by an organization. -Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. -Beginning with Windows 10, version 1803, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. +Security researchers have found that some .NET applications may be used to circumvent those controls by using .NET’s capabilities to load libraries from external sources or generate new code on the fly. +Beginning with Windows 10, version 1803, or Windows 11, WDAC features a new capability, called *Dynamic Code Security* to verify code loaded by .NET at runtime. When the Dynamic Code Security option is enabled, WDAC policy is applied to libraries that .NET loads from external sources. Additionally, it detects tampering in code generated to disk by .NET and blocks loading code that has been tampered with. Dynamic Code Security is not enabled by default because existing policies may not account for externally loaded libraries. -Additionally, a small number of .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. +Additionally, a few .NET loading features, including loading unsigned assemblies built with System.Reflection.Emit, are not currently supported with Dynamic Code Security enabled. Microsoft recommends testing Dynamic Code Security in audit mode before enforcing it to discover whether any new libraries should be included in the policy. To enable Dynamic Code Security, add the following option to the `` section of your policy: From c60aafb28fc21cd797c56d4c94963e36da77c33b Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 2 Sep 2021 09:29:14 -0700 Subject: [PATCH 8/9] removed section about FullSync --- .../update/update-compliance-configuration-manual.md | 9 --------- 1 file changed, 9 deletions(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index e15c04a0eb..5ecec12475 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -80,12 +80,3 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically. -## Run a full Census sync - -Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync. - -A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps: - -1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**. -2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required. -3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**. From 8988f10714a3ec18b8f2453bbafb79b72f74d3a2 Mon Sep 17 00:00:00 2001 From: jaimeo Date: Thu, 2 Sep 2021 09:33:43 -0700 Subject: [PATCH 9/9] removing stray bookmark --- .../deployment/update/update-compliance-configuration-manual.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md index 5ecec12475..dcb6a6b2fe 100644 --- a/windows/deployment/update/update-compliance-configuration-manual.md +++ b/windows/deployment/update/update-compliance-configuration-manual.md @@ -27,7 +27,7 @@ The requirements are separated into different categories: 1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured. 2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints. 3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality. -4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected. + ## Required policies