deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-16 02:43:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into repo_sync_working_branch

Browse Source
This commit is contained in:
Gary Moore
2020-03-24 17:11:04 -07:00
committed by GitHub
parent 70e57f82bb 34910400f6
commit e5110aa810
4 changed files with 30 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
windows/client-management/mdm/policy-csp-restrictedgroups.md
View File

@ -7,7 +7,8 @@ ms.prod: w10
ms.technology: windows ms.technology: windows
author: manikadhiman author: manikadhiman
ms.localizationpriority: medium ms.localizationpriority: medium
ms.date: 03/12/2020 ms.date: 03/24/2020
ms.reviewer: ms.reviewer:
manager: dansimp manager: dansimp
--- ---
@ -74,10 +75,16 @@ manager: dansimp
<!--/Scope--> <!--/Scope-->
<!--Description--> <!--Description-->
This security setting allows an administrator to define the members of a security-sensitive (restricted) group. When a Restricted Groups Policy is enforced, any current member of a restricted group that is not on the Members list is removed. Any user on the Members list who is not currently a member of the restricted group is added. You can use Restricted Groups policy to control group membership. Using the policy, you can specify what members are part of a group. Any members that are not specified in the policy are removed during configuration or refresh. For example, you can create a Restricted Groups policy to only allow specified users (for example, Alice and John) to be members of the Administrators group. When policy is refreshed, only Alice and John will remain as members of the Administrators group. This security setting allows an administrator to define the members that are part of a security-sensitive (restricted) group. When a Restricted Groups policy is enforced, any current member of a restricted group that is not on the Members list is removed, except for the built-in administrator in the built-in Administrators group. Any user on the Members list who is not currently a member of the restricted group is added. An empty Members list means that the restricted group has no members. The membership configuration is based on SIDS, therefore renaming these built-in groups does not affect retention of this special membership.
For example, you can create a Restricted Groups policy to allow only specified users, Alice and John, to be members of the Backup Operators group. When this policy is refreshed, only Alice and John will remain as members of the Backup Operators group and all other members will be removed.
> [!CAUTION] > [!CAUTION]
> If a Restricted Groups policy is applied, any current member not on the Restricted Groups policy members list is removed. This can include default members, such as administrators. Restricted Groups should be used primarily to configure membership of local groups on workstation or member servers. An empty Members list means that the restricted group has no members. > Attempting to remove the built-in administrator from the Administrators group will result in failure with the following error:
>
> | Error Code | Symbolic Name | Error Description | Header |
> |----------|----------|----------|----------|
> | 0x55b (Hex) <br> 1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h |
Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution. Starting in Windows 10, version 1809, you can use this schema for retrieval and application of the RestrictedGroups/ConfigureGroupMembership policy. A minimum occurrence of 0 members when applying the policy implies clearing the access group and should be used with caution.
@ -122,24 +129,26 @@ Starting in Windows 10, version 1809, you can use this schema for retrieval and
<!--/SupportedValues--> <!--/SupportedValues-->
<!--Example--> <!--Example-->
Here is an example:
Here's an example:
``` ```
<groupmembership> <groupmembership>
<accessgroup desc = "Administrators"> <accessgroup desc = "Group1">
<member name = "AzureAD\CSPTest@contoso.com" /> <member name = "S-1-15-6666767-76767676767-666666777"/>
<member name = "AzureAD\patlewis@contoso.com" /> <member name = "contoso\Alice"/>
<member name = "S-1-15-1233433-23423432423-234234324"/>
</accessgroup> </accessgroup>
<accessgroup desc = "testcsplocal"> <accessgroup desc = "Group2">
<member name = "AzureAD\CSPTest@contoso.com" /> <member name = "S-1-15-1233433-23423432423-234234324"/>
<member name = "Group1"/>
</accessgroup> </accessgroup>
</groupmembership> </groupmembership>
``` ```
where:
- `<accessgroup desc>` contains the local group SID or group name to configure. If an SID is specified here, the policy uses the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API to get the local group name. For best results, use names for `<accessgroup desc>`.
- `<member name>` contains the members to add to the group in `<accessgroup desc>`. If a name is specified here, the policy will try to get the corresponding SID using the [LookupAccountSID](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API. (**Note:** This doesn't query Azure AD). For best results, use SID for `<member name>`. As groups can be renamed and account name lookups are limited to AD/local machine, hence SID is the best and most deterministic way to configure.
The member SID can be a user account or a group in AD, Azure AD, or on the local machine. Membership is configured using the [NetLocalGroupSetMembers](https://docs.microsoft.com/windows/win32/api/lmaccess/nf-lmaccess-netlocalgroupsetmembers) API.
- In this example, `Group1` and `Group2` are local groups on the device being configured.
> [!Note]
> * You should include the local administrator while modifying the administrators group to prevent accidental loss of access
> * Include the entire UPN after AzureAD
<!--/Example--> <!--/Example-->
<!--Validation--> <!--Validation-->

2
windows/deployment/windows-autopilot/white-glove.md
View File

@ -30,7 +30,7 @@ With **Windows Autopilot for white glove deployment**, the provisioning process
![OEM](images/wg02.png) ![OEM](images/wg02.png)
Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active directory join scenarios. Enabled with Microsoft Intune in Windows 10, version 1903 and later, white glove deployment capabilities build on top of existing Windows Autopilot [user-driven scenarios](user-driven.md), supporting both the user-driven mode for Azure Active Directory Join, and user-driven mode for Hybrid Azure Active Directory join scenarios.
## Prerequisites ## Prerequisites

5
windows/deployment/windows-autopilot/windows-autopilot-requirements.md
View File

@ -27,7 +27,7 @@ Windows Autopilot depends on specific capabilities available in Windows 10, Azur
## Software requirements ## Software requirements
- A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 semi-annual channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported. - A [supported version](https://docs.microsoft.com/windows/release-information/) of Windows 10 Semi-Annual Channel is required. Windows 10 Enterprise 2019 long-term servicing channel (LTSC) is also supported.
- The following editions are supported: - The following editions are supported:
- Windows 10 Pro - Windows 10 Pro
- Windows 10 Pro Education - Windows 10 Pro Education
@ -81,7 +81,8 @@ If the Microsoft Store is not accessible, the AutoPilot process will still conti
<tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above). <tr><td><b>Office 365<b><td>As part of the Intune device configuration, installation of Office 365 ProPlus may be required. For more information, see <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2">Office 365 URLs and IP address ranges</a> (includes all Office services, DNS names, IP addresses; includes Azure AD and other services that may overlap with those listed above).
<tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>. <tr><td><b>Certificate revocation lists (CRLs)<b><td>Some of these services will also need to check certificate revocation lists (CRLs) for certificates used in the services.  A full list of these is documented at <a href="https://support.office.com/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2#bkmk_crl">Office 365 URLs and IP address ranges</a> and <a href="https://aka.ms/o365chains">Office 365 Certificate Chains</a>.
<tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a> <tr><td><b>Hybrid AAD join<b><td>The device can be hybrid AAD joined. The computer should be on corporate network for hybrid AAD join to work. See details at <a href="https://docs.microsoft.com/windows/deployment/windows-autopilot/user-driven-hybrid">Windows Autopilot user-driven mode</a>
<tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested: <tr><td><b>Autopilot Self-Deploying mode and Autopilot White Glove<b><td>Firmware TPM devices, which are only provided by Intel, AMD, or Qualcomm, do not include all needed certificates at boot time and must be able to retrieve them from the manufacturer on first use. Devices with discrete TPM chips (including devices from any other manufacturer) come with these certificates preinstalled. See <a href="https://docs.microsoft.com/windows/security/information-protection/tpm/tpm-recommendations">TPM recommendations</a> for more details. Make sure that these URLs are accessible for each firmware TPM provider so that certificates can be successfully requested:
<br>Intel- https://ekop.intel.com/ekcertservice <br>Intel- https://ekop.intel.com/ekcertservice
<br>Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1 <br>Qualcomm- https://ekcert.spserv.microsoft.com/EKCertificate/GetEKCertificate/v1
<br>AMD- https://ftpm.amd.com/pki/aia <br>AMD- https://ftpm.amd.com/pki/aia

11
windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-atp-linux.md
View File

@ -38,10 +38,6 @@ This topic describes how to install, configure, update, and use Microsoft Defend
> [!CAUTION] > [!CAUTION]
> Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors. > Running other third-party endpoint protection products alongside Microsoft Defender ATP for Linux is likely to cause performance problems and unpredictable system errors.
## How to install Microsoft Defender ATP for Linux ## How to install Microsoft Defender ATP for Linux
### Prerequisites ### Prerequisites
@ -53,6 +49,7 @@ This topic describes how to install, configure, update, and use Microsoft Defend
### Known issues ### Known issues
- Logged on users do not appear in the ATP portal. - Logged on users do not appear in the ATP portal.
- Running the product on CentOS / RHEL / Oracle Linux 7.0 or 7.1 with kernel versions lower than 3.10.0-327 can result in hanging the operating system. We recommend that you upgrade to version 7.2 or newer.
- In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered: - In SUSE distributions, if the installation of *libatomic1* fails, you should validate that your OS is registered:
```bash ```bash
@ -77,12 +74,12 @@ In general you need to take the following steps:
- Supported Linux server distributions and versions: - Supported Linux server distributions and versions:
- Red Hat Enterprise Linux 7 or higher - Red Hat Enterprise Linux 7.2 or higher
- CentOS 7 or higher - CentOS 7.2 or higher
- Ubuntu 16.04 LTS or higher LTS - Ubuntu 16.04 LTS or higher LTS
- Debian 9 or higher - Debian 9 or higher
- SUSE Linux Enterprise Server 12 or higher - SUSE Linux Enterprise Server 12 or higher
- Oracle Linux 7 - Oracle Linux 7.2 or higher
- Minimum kernel version 2.6.38 - Minimum kernel version 2.6.38
- The `fanotify` kernel option must be enabled - The `fanotify` kernel option must be enabled