| Extend code: phase | -|
| Hex | Phase - |
| 0 | SP_EXECUTION_UNKNOWN - |
| 1 | SP_EXECUTION_DOWNLEVEL - |
| 2 | SP_EXECUTION_SAFE_OS - |
| 3 | SP_EXECUTION_FIRST_BOOT - |
| 4 | SP_EXECUTION_OOBE_BOOT - |
| 5 | SP_EXECUTION_UNINSTALL - |
| Extend code: operation | -|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
-
|
-
-
|
-||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Attribute | -Value | -
|---|---|
Well-Known SID/RID |
-S-1-5-<domain>-13 (Terminal Server User), S-1-5-<domain>-14 (Remote Interactive Logon) |
-
Type |
-User |
-
Default container |
-CN=Users, DC=<domain>, DC= |
-
Default members |
-None |
-
Default member of |
-Domain Guests -Guests |
-
Protected by ADMINSDHOLDER? |
-No |
-
Safe to move out of default container? |
-Can be moved out, but we do not recommend it. |
-
Safe to delegate management of this group to non-Service admins? |
-No |
-
Guests| +|Protected by ADMINSDHOLDER?|No| +|Safe to move out of default container?|Can be moved out, but we do not recommend it.| +|Safe to delegate management of this group to non-Service admins?|No| ### DefaultAccount @@ -290,71 +253,18 @@ For more information about UAC, see [User Account Control](/windows/access-prote The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access. -
No. |
-Setting |
-Detailed Description |
-
| - | Policy location |
-Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
-
1 |
-Policy name |
-User Account Control: Run all administrators in Admin Approval Mode |
-
| - | Policy setting |
-Enabled |
-
2 |
-Policy location |
-Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options |
-
| - | Policy name |
-User Account Control: Run all administrators in Admin Approval Mode |
-
| - | Policy setting |
-Enabled |
-
3 |
-Registry key |
-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
-
| - | Registry value name |
-LocalAccountTokenFilterPolicy |
-
| - | Registry value type |
-DWORD |
-
| - | Registry value data |
-0 |
-
No. |
-Setting |
-Detailed Description |
-
| - | Policy location |
-Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
-
1 |
-Policy name |
-- |
| - | Policy setting |
-Local account and member of Administrators group - |
-
2 |
-Policy location |
-Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment |
-
| - | Policy name |
-- |
| - | Policy setting |
-Local account and member of Administrators group - |
-
| Policy | -Scope | -Options | -|
|---|---|---|---|
| Use Windows Hello for Business | -- | Computer or user | -
- Not configured: Device does not provision Windows Hello for Business for any user. -Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. -Disabled: Device does not provision Windows Hello for Business for any user. - |
-
| Use a hardware security device | -- | Computer | -
- Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. -Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. -Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - |
-
| Use certificate for on-premises authentication | -- | Computer or user | -
- Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. -Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. -Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication. - |
-Use PIN recovery | -- | Computer | -
- Added in Windows 10, version 1703 -Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. -Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. -Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. -+|Policy|Scope|Options| +|--- |--- |--- | +|Use Windows Hello for Business|Computer or user| Not configured: Device does not provision Windows Hello for Business for any user. Enabled: Device provisions Windows Hello for Business using keys or certificates for all users. Disabled: Device does not provision Windows Hello for Business for any user.| +|Use a hardware security device|Computer| Not configured: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. Enabled: Windows Hello for Business will only be provisioned using TPM. This feature will provision Windows Hello for Business using TPM 1.2 unless the option to exclude them is explicitly set. Disabled: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| +|Use certificate for on-premises authentication|Computer or user| Not configured: Windows Hello for Business enrolls a key that is used for on-premises authentication. Enabled: Windows Hello for Business enrolls a sign-in certificate using ADFS that is used for on-premises authentication. Disabled: Windows Hello for Business enrolls a key that is used for on-premises authentication.| +|Use PIN recovery|Computer| Added in Windows 10, version 1703 Not configured: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service Enabled: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset Disabled: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| +|Use biometrics|Computer| Not configured: Biometrics can be used as a gesture in place of a PIN Enabled: Biometrics can be used as a gesture in place of a PIN. Disabled: Only a PIN can be used as a gesture.| -For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). - - |
-
-
| Use biometrics | -- | Computer | -
- Not configured: Biometrics can be used as a gesture in place of a PIN. -Enabled: Biometrics can be used as a gesture in place of a PIN. -Disabled: Only a PIN can be used as a gesture. - |
-
| PIN Complexity | -Require digits | -Computer | -
- Not configured: Users must include a digit in their PIN. -Enabled: Users must include a digit in their PIN. -Disabled: Users cannot use digits in their PIN. - |
-
| Require lowercase letters | -Computer | -
- Not configured: Users cannot use lowercase letters in their PIN. -Enabled: Users must include at least one lowercase letter in their PIN. -Disabled: Users cannot use lowercase letters in their PIN. - |
-|
| Maximum PIN length | -Computer | -
- Not configured: PIN length must be less than or equal to 127. -Enabled: PIN length must be less than or equal to the number you specify. -Disabled: PIN length must be less than or equal to 127. - |
-|
| Minimum PIN length | -Computer | -
- Not configured: PIN length must be greater than or equal to 4. -Enabled: PIN length must be greater than or equal to the number you specify. -Disabled: PIN length must be greater than or equal to 4. - |
-|
| Expiration | -Computer | -
- Not configured: PIN does not expire. -Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0. -Disabled: PIN does not expire. - |
-|
| History | -Computer | -
- Not configured: Previous PINs are not stored. -Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused. -Disabled: Previous PINs are not stored. -Note Current PIN is included in PIN history.
- |
-|
| Require special characters | -Computer | -
- Not configured: Users cannot include a special character in their PIN. -Enabled: Users must include at least one special character in their PIN. -Disabled: Users cannot include a special character in their PIN. - |
-|
| Require uppercase letters | -Computer | -
- Not configured: Users cannot include an uppercase letter in their PIN. -Enabled: Users must include at least one uppercase letter in their PIN. -Disabled: Users cannot include an uppercase letter in their PIN. - |
-|
| Phone Sign-in | -Use Phone Sign-in | -Computer | - -
- Not currently supported. - |
-
Not configured: Users must include a digit in their PIN.
Enabled: Users must include a digit in their PIN.
Disabled: Users cannot use digits in their PIN.| +|Require lowercase letters|Computer|
Not configured: Users cannot use lowercase letters in their PIN
Enabled: Users must include at least one lowercase letter in their PIN.
Disabled: Users cannot use lowercase letters in their PIN.| +|Maximum PIN length|Computer|
Not configured: PIN length must be less than or equal to 127.
Enabled: PIN length must be less than or equal to the number you specify.
Disabled: PIN length must be less than or equal to 127.| +|Minimum PIN length|Computer|
Not configured: PIN length must be greater than or equal to 4.
Enabled: PIN length must be greater than or equal to the number you specify.
Disabled: PIN length must be greater than or equal to 4.| +|Expiration|Computer|
Not configured: PIN does not expire.
Enabled: PIN can be set to expire after any number of days between 1 and 730, or PIN can be set to never expire by setting policy to 0.
Disabled: PIN does not expire.| +|History|Computer|
Not configured: Previous PINs are not stored.
Enabled: Specify the number of previous PINs that can be associated to a user account that can't be reused.
Disabled: Previous PINs are not stored.
Not configured: Users cannot include a special character in their PIN
Enabled: Users must include at least one special character in their PIN.
Disabled: Users cannot include a special character in their PIN.| +|Require uppercase letters|Computer|
Not configured: Users cannot include an uppercase letter in their PIN.
Enabled: Users must include at least one uppercase letter in their PIN.
Disabled: Users cannot include an uppercase letter in their PIN.| + +### Phone Sign-in + +|Policy|Scope|Options| +|--- |--- |--- | +|Use Phone Sign-in|Computer|Not currently supported.| ## MDM policy settings for Windows Hello for Business @@ -194,175 +75,38 @@ The following table lists the MDM policy settings that you can configure for Win >[!IMPORTANT] >Starting in Windows 10, version 1607, all devices only have one PIN associated with Windows Hello for Business. This means that any PIN on a device will be subject to the policies specified in the PassportForWork CSP. The values specified take precedence over any complexity rules set via Exchange ActiveSync (EAS) or the DeviceLock CSP. -
| Policy | -Scope | -Default | -Options | -|
|---|---|---|---|---|
| UsePassportForWork | -- | Device or user | -True | -
- True: Windows Hello for Business will be provisioned for all users on the device. -False: Users will not be able to provision Windows Hello for Business. -Note If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices.
- |
-
| RequireSecurityDevice | -- | Device or user | -False | -
- True: Windows Hello for Business will only be provisioned using TPM. -False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available. - |
-
| ExcludeSecurityDevice | -TPM12 | -Device | -False | -
- Added in Windows 10, version 1703 -True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. -False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business. - |
-
| EnablePinRecovery | -- | Device or user | -False | -
- Added in Windows 10, version 1703 -True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. -False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service. -+|Policy|Scope|Default|Options| +|--- |--- |--- |--- | +|UsePassportForWork|Device or user|True| True: Windows Hello for Business will be provisioned for all users on the device. False: Users will not be able to provision Windows Hello for Business. **Note:** If Windows Hello for Business is enabled, and then the policy is changed to False, users who previously set up Windows Hello for Business can continue to use it, but will not be able to set up Windows Hello for Business on other devices |
+|RequireSecurityDevice|Device or user|False|True: Windows Hello for Business will only be provisioned using TPM. False: Windows Hello for Business will be provisioned using TPM if available, and will be provisioned using software if TPM is not available.| +|ExcludeSecurityDevice TPM12|Device|False|Added in Windows 10, version 1703 True: TPM revision 1.2 modules will be disallowed from being used with Windows Hello for Business. False: TPM revision 1.2 modules will be allowed to be used with Windows Hello for Business.| +|EnablePinRecovery|Device or use|False| Added in Windows 10, version 1703 True: Windows Hello for Business uses the Azure-based PIN recovery service for PIN reset. False: Windows Hello for Business does not create or store a PIN recovery secret. PIN reset does not use the Azure-based PIN recovery service.For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md).| -For more information about using the PIN recovery service for PIN reset see [Windows Hello for Business PIN Reset](hello-feature-pin-reset.md). - - |
-
| Biometrics | -
- UseBiometrics - |
-Device | -False | -
- True: Biometrics can be used as a gesture in place of a PIN for domain sign-in. -False: Only a PIN can be used as a gesture for domain sign-in. - |
-
|
- FacialFeaturesUser -EnhancedAntiSpoofing - |
-Device | -Not configured | -
- Not configured: users can choose whether to turn on enhanced anti-spoofing. -True: Enhanced anti-spoofing is required on devices which support it. -False: Users cannot turn on enhanced anti-spoofing. - |
-|
| PINComplexity | -||||
| Digits | -Device or user | -1 | -
- 0: Digits are allowed. -1: At least one digit is required. -2: Digits are not allowed. - |
-|
| Lowercase letters | -Device or user | -2 | -
- 0: Lowercase letters are allowed. -1: At least one lowercase letter is required. -2: Lowercase letters are not allowed. - |
-|
| Special characters | -Device or user | -2 | -
- 0: Special characters are allowed. -1: At least one special character is required. -2: Special characters are not allowed. - |
-|
| Uppercase letters | -Device or user | -2 | -
- 0: Uppercase letters are allowed. -1: At least one uppercase letter is required. -2: Uppercase letters are not allowed. - |
-|
| Maximum PIN length | -Device or user | -127 | -
- Maximum length that can be set is 127. Maximum length cannot be less than minimum setting. - |
-|
| Minimum PIN length | -Device or user | -4 | -
- Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting. - |
-|
| Expiration | -Device or user | -0 | -
- Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire. - - |
-|
| History | -Device or user | -0 | -
- Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required. - - |
-|
| Remote | -
- UseRemotePassport - |
-Device or user | -False | -
- Not currently supported. - |
-
True: Biometrics can be used as a gesture in place of a PIN for domain sign-in.
False: Only a PIN can be used as a gesture for domain sign-in.| +|
FacialFeaturesUser
EnhancedAntiSpoofing|Device|Not configured|
Not configured: users can choose whether to turn on enhanced anti-spoofing.
True: Enhanced anti-spoofing is required on devices which support it.
False: Users cannot turn on enhanced anti-spoofing.| + +### PINComplexity + +|Policy|Scope|Default|Options| +|--- |--- |--- |--- | +|Digits |Device or user|1 |
0: Digits are allowed.
1: At least one digit is required.
2: Digits are not allowed.| +|Lowercase letters |Device or user|2|
0: Lowercase letters are allowed.
1: At least one lowercase letter is required.
2: Lowercase letters are not allowed.| +|Special characters|Device or user|2|
0: Special characters are allowed.
1: At least one special character is required.
2: Special characters are not allowed.| +|Uppercase letters|Device or user|2|
0: Uppercase letters are allowed.
1: At least one uppercase letter is required.
2: Uppercase letters are not allowed.| +|Maximum PIN length |Device or user|127 |
Maximum length that can be set is 127. Maximum length cannot be less than minimum setting.| +|Minimum PIN length|Device or user|4|
Minimum length that can be set is 4. Minimum length cannot be greater than maximum setting.| +|Expiration |Device or user|0|
Integer value specifies the period of time (in days) that a PIN can be used before the system requires the user to change it. The largest number you can configure for this policy setting is 730. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then the user's PIN will never expire.| +|History|Device or user|0|
Integer value that specifies the number of past PINs that can be associated to a user account that can't be reused. The largest number you can configure for this policy setting is 50. The lowest number you can configure for this policy setting is 0. If this policy is set to 0, then storage of previous PINs is not required.| + +### Remote + +|Policy|Scope|Default|Options| +|--- |--- |--- |--- | +|UseRemotePassport|Device or user|False|Not currently supported.| >[!NOTE] > In Windows 10, version 1709 and later, if policy is not configured to explicitly require letters or special characters, users can optionally set an alphanumeric PIN. Prior to version 1709 the user is required to set a numeric PIN. diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md index e9f7b85291..edf3452542 100644 --- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md +++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md @@ -106,169 +106,35 @@ The following diagram details the UAC architecture. To better understand each component, review the table below: -
| Component | -Description | -
|---|---|
| User | -|
|
- User performs operation requiring privilege - |
-
- If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute. - |
-
|
- ShellExecute - |
-
- ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt. - |
-
|
- CreateProcess - |
-
- If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED. - |
-
| System | -|
|
- Application Information service - |
-
- A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so. - |
-
|
- Elevating an ActiveX install - |
-
- If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the User Account Control: Switch to the secure desktop when prompting for elevation Group Policy setting is checked. - |
-
|
- Check UAC slider level - |
-
- UAC has a slider to select from four levels of notification. -
|
-
|
- Secure desktop enabled - |
-
- The User Account Control: Switch to the secure desktop when prompting for elevation policy setting is checked: -
|
-
|
- CreateProcess - |
-
- CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute. - |
-
|
- AppCompat - |
-
- The AppCompat database stores information in the application compatibility fix entries for an application. - |
-
|
- Fusion - |
-
- The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field. - |
-
|
- Installer detection - |
-
- Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent. - |
-
| Kernel | - -|
|
- Virtualization - |
-
- Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas. - |
-
|
- File system and registry - |
-
- The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second. - |
-
User performs operation requiring privilege|
If the operation changes the file system or registry, Virtualization is called. All other operations call ShellExecute.| +|
ShellExecute|
ShellExecute calls CreateProcess. ShellExecute looks for the ERROR_ELEVATION_REQUIRED error from CreateProcess. If it receives the error, ShellExecute calls the Application Information service to attempt to perform the requested task with the elevated prompt.| +|
CreateProcess|
If the application requires elevation, CreateProcess rejects the call with ERROR_ELEVATION_REQUIRED.| + +### System + +|Component|Description| +|--- |--- | +|
Application Information service|
A system service that helps start apps that require one or more elevated privileges or user rights to run, such as local administrative tasks, and apps that require higher integrity levels. The Application Information service helps start such apps by creating a new process for the application with an administrative user's full access token when elevation is required and (depending on Group Policy) consent is given by the user to do so.| +|
Elevating an ActiveX install|
If ActiveX is not installed, the system checks the UAC slider level. If ActiveX is installed, the **User Account Control: Switch to the secure desktop when prompting for elevation** Group Policy setting is checked.| +|
Check UAC slider level|
UAC has a slider to select from four levels of notification.
**Always notify** will:
Recommended if you often install new software or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer** will:
Recommended if you do not often install apps or visit unfamiliar websites.
**Notify me only when programs try to make changes to my computer (do not dim my desktop)** will:
Not recommended. Choose this only if it takes a long time to dim the desktop on your computer.
**Never notify (Disable UAC prompts)** will:
Not recommended due to security concerns.| +|
Secure desktop enabled|
The **User Account Control: Switch to the secure desktop when prompting for elevation** policy setting is checked:
If the secure desktop is enabled, all elevation requests go to the secure desktop regardless of prompt behavior policy settings for administrators and standard users.
If the secure desktop is not enabled, all elevation requests go to the interactive user's desktop, and the per-user settings for administrators and standard users are used.| +|
CreateProcess|
CreateProcess calls AppCompat, Fusion, and Installer detection to assess if the app requires elevation. The file is then inspected to determine its requested execution level, which is stored in the application manifest for the file. CreateProcess fails if the requested execution level specified in the manifest does not match the access token and returns an error (ERROR_ELEVATION_REQUIRED) to ShellExecute.| +|
AppCompat|
The AppCompat database stores information in the application compatibility fix entries for an application.| +|
Fusion|
The Fusion database stores information from application manifests that describe the applications. The manifest schema is updated to add a new requested execution level field.| +|
Installer detection|
Installer detection detects setup files, which helps prevent installations from being run without the user's knowledge and consent.| + +### Kernel + +|Component|Description| +|--- |--- | +|
Virtualization|
Virtualization technology ensures that non-compliant apps do not silently fail to run or fail in a way that the cause cannot be determined. UAC also provides file and registry virtualization and logging for applications that write to protected areas.| +|
File system and registry|
The per-user file and registry virtualization redirects per-computer registry and file write requests to equivalent per-user locations. Read requests are redirected to the virtualized per-user location first and to the per-computer location second.| -The slider will never turn UAC completely off. If you set it to Never notify, it will: +The slider will never turn UAC completely off. If you set it to **Never notify**, it will: - Keep the UAC service running. - Cause all elevation request initiated by administrators to be auto-approved without showing a UAC prompt. diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 77824138a9..b646e90f3e 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -23,15 +23,12 @@ In addition to older and less-secure password-based authentication methods (whic Windows supports a number of EAP authentication methods. -
| Method | Details |
|---|---|
| EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2) |
|
| EAP-Transport Layer Security (EAP-TLS) |
|
| Protected Extensible Authentication Protocol (PEAP) |
|
| Tunneled Transport Layer Security (TTLS) |
|
Supports the following types of certificate authentication
Certificate filtering
Server validation- with TLS, server validation can be toggled on or off
Server validation with PEAP,- server validation can be toggled on or off
Inner method- the outer method creates a secure tunnel inside while the inner method is used to complete the authentication
Fast Reconnect: reduces the delay between an authentication request by a client and the response by the Network Policy Server (NPS) or other Remote Authentication Dial-in User Service (RADIUS) server. This reduces resource requirements for both client and server, and minimizes the number of times that users are prompted for credentials.
[Cryptobinding](/openspecs/windows_protocols/ms-peap/757a16c7-0826-4ba9-bb71-8c3f1339e937): By deriving and exchanging values from the PEAP phase 1 key material (**Tunnel Key**) and from the PEAP phase 2 inner EAP method key material (**Inner Session Key**), it is possible to prove that the two authentications terminate at the same two entities (PEAP peer and PEAP server). This process, termed "cryptobinding", is used to protect the PEAP negotiation against "Man in the Middle" attacks.| +|Tunneled Transport Layer Security (TTLS)|**Inner method**
Non-EAP
EAP
Server validation: in TTLS, the server must be validated. The following can be configured:
Name |
-Parameters |
-
Add-BitLockerKeyProtector |
--ADAccountOrGroup --ADAccountOrGroupProtector --Confirm --MountPoint --Password --PasswordProtector --Pin --RecoveryKeyPath --RecoveryKeyProtector --RecoveryPassword --RecoveryPasswordProtector --Service --StartupKeyPath --StartupKeyProtector --TpmAndPinAndStartupKeyProtector --TpmAndPinProtector --TpmAndStartupKeyProtector --TpmProtector --WhatIf |
-
Backup-BitLockerKeyProtector |
--Confirm --KeyProtectorId --MountPoint --WhatIf |
-
Disable-BitLocker |
--Confirm --MountPoint --WhatIf |
-
Disable-BitLockerAutoUnlock |
--Confirm --MountPoint --WhatIf |
-
Enable-BitLocker |
--AdAccountOrGroup --AdAccountOrGroupProtector --Confirm --EncryptionMethod --HardwareEncryption --Password --PasswordProtector --Pin --RecoveryKeyPath --RecoveryKeyProtector --RecoveryPassword --RecoveryPasswordProtector --Service --SkipHardwareTest --StartupKeyPath --StartupKeyProtector --TpmAndPinAndStartupKeyProtector --TpmAndPinProtector --TpmAndStartupKeyProtector --TpmProtector --UsedSpaceOnly --WhatIf |
-
Enable-BitLockerAutoUnlock |
--Confirm --MountPoint --WhatIf |
-
Get-BitLockerVolume |
--MountPoint |
-
Lock-BitLocker |
--Confirm --ForceDismount --MountPoint --WhatIf |
-
Remove-BitLockerKeyProtector |
--Confirm --KeyProtectorId --MountPoint --WhatIf |
-
Resume-BitLocker |
--Confirm --MountPoint --WhatIf |
-
Suspend-BitLocker |
--Confirm --MountPoint --RebootCount --WhatIf |
-
Unlock-BitLocker |
--AdAccountOrGroup --Confirm --MountPoint --Password --RecoveryKeyPath --RecoveryPassword --RecoveryPassword --WhatIf |
-
Name |
-Parameters |
-
|---|---|
Add-BitLockerKeyProtector |
--ADAccountOrGroup --ADAccountOrGroupProtector --Confirm --MountPoint --Password --PasswordProtector --Pin --RecoveryKeyPath --RecoveryKeyProtector --RecoveryPassword --RecoveryPasswordProtector --Service --StartupKeyPath --StartupKeyProtector --TpmAndPinAndStartupKeyProtector --TpmAndPinProtector --TpmAndStartupKeyProtector --TpmProtector --WhatIf |
-
Backup-BitLockerKeyProtector |
--Confirm --KeyProtectorId --MountPoint --WhatIf |
-
Disable-BitLocker |
--Confirm --MountPoint --WhatIf |
-
Disable-BitLockerAutoUnlock |
--Confirm --MountPoint --WhatIf |
-
Enable-BitLocker |
--AdAccountOrGroup --AdAccountOrGroupProtector --Confirm --EncryptionMethod --HardwareEncryption --Password --PasswordProtector --Pin --RecoveryKeyPath --RecoveryKeyProtector --RecoveryPassword --RecoveryPasswordProtector --Service --SkipHardwareTest --StartupKeyPath --StartupKeyProtector --TpmAndPinAndStartupKeyProtector --TpmAndPinProtector --TpmAndStartupKeyProtector --TpmProtector --UsedSpaceOnly --WhatIf |
-
Enable-BitLockerAutoUnlock |
--Confirm --MountPoint --WhatIf |
-
Get-BitLockerVolume |
--MountPoint |
-
Lock-BitLocker |
--Confirm --ForceDismount --MountPoint --WhatIf |
-
Remove-BitLockerKeyProtector |
--Confirm --KeyProtectorId --MountPoint --WhatIf |
-
Resume-BitLocker |
--Confirm --MountPoint --WhatIf |
-
Suspend-BitLocker |
--Confirm --MountPoint --RebootCount --WhatIf |
-
Unlock-BitLocker |
--AdAccountOrGroup --Confirm --MountPoint --Password --RecoveryKeyPath --RecoveryPassword --RecoveryPassword --WhatIf |
-
Action |
-On owner node of failover volume |
-On Metadata Server (MDS) of CSV |
-On (Data Server) DS of CSV |
-Maintenance Mode |
-
Manage-bde –on |
-Blocked |
-Blocked |
-Blocked |
-Allowed |
-
Manage-bde –off |
-Blocked |
-Blocked |
-Blocked |
-Allowed |
-
Manage-bde Pause/Resume |
-Blocked |
-Blocked |
-Blocked |
-Allowed |
-
Manage-bde –lock |
-Blocked |
-Blocked |
-Blocked |
-Allowed |
-
manage-bde –wipe |
-Blocked |
-Blocked |
-Blocked |
-Allowed |
-
Unlock |
-Automatic via cluster service |
-Automatic via cluster service |
-Automatic via cluster service |
-Allowed |
-
manage-bde –protector –add |
-Allowed |
-Allowed |
-Blocked |
-Allowed |
-
manage-bde -protector -delete |
-Allowed |
-Allowed |
-Blocked |
-Allowed |
-
manage-bde –autounlock |
-Allowed (not recommended) |
-Allowed (not recommended) |
-Blocked |
-Allowed (not recommended) |
-
Manage-bde -upgrade |
-Allowed |
-Allowed |
-Blocked |
-Allowed |
-
Shrink |
-Allowed |
-Allowed |
-Blocked |
-Allowed |
-
Extend |
-Allowed |
-Allowed |
-Blocked |
-Allowed |
-
| App rule setting | -Networking policy configuration | -|
|---|---|---|
| - | Name-based policies, without the /*AppCompat*/ string | -Name-based policies, using the /*AppCompat*/ string or proxy-based policies | -
| Not required. App connects to enterprise cloud resources directly, using an IP address. | -
-
|
-
-
|
-
| Not required. App connects to enterprise cloud resources, using a hostname. | -
-
|
- |
| Allow. App connects to enterprise cloud resources, using an IP address or a hostname. | -
-
|
- |
| Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. | -
-
|
- |
**Name-based policies, without the /*AppCompat*/ string:**
**Name-based policies, using the /*AppCompat*/ string or proxy-based policies:**
| App rule setting | -Networking policy configuration for name-based policies, possibly using the /*AppCompat*/ string, or proxy-based policies | -
|---|---|
| Not required. App connects to enterprise cloud resources, using an IP address or a hostname. | -
-
|
-
| Allow. App connects to enterprise cloud resources, using an IP address or a hostname. | -
-
|
-
| Exempt. App connects to enterprise cloud resources, using an IP address or a hostname. | -
-
|
-
| Option | -Manages | -
|---|---|
| All fields left as "*" | -All files signed by any publisher. (Not recommended.) | -
| Publisher selected | -All files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Product Name selected | -All files for the specified product, signed by the named publisher. | -
| Publisher, Product Name, and Binary name selected | -Any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, and above, selected | -Specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Product Name, Binary name, and File Version, And below selected | -Specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Product Name, Binary name, and File Version, Exactly selected | -Specified version of the named file or package for the specified product, signed by the named publisher. | -
| Network location type | -Format | -Description | -
|---|---|---|
| Enterprise Cloud Resources | -With proxy: contoso.sharepoint.com,contoso.internalproxy1.com| contoso.visualstudio.com,contoso.internalproxy2.com Without proxy: contoso.sharepoint.com|contoso.visualstudio.com |
- Specify the cloud resources to be treated as corporate and protected by WIP. For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise. If you have multiple resources, you must separate them using the "|" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "|". For example: Important |
-
| Enterprise Network Domain Names (Required) | -corp.contoso.com,region.contoso.com | -Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks. If you have multiple resources, you must separate them using the "," delimiter. |
-
| Proxy servers | -proxy.contoso.com:80;proxy2.contoso.com:443 | -Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources. This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
-
| Internal proxy servers | -contoso.internalproxy1.com;contoso.internalproxy2.com | -Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources. This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic. If you have multiple resources, you must separate them using the ";" delimiter. |
| Enterprise IPv4 Range (Required) | -Starting IPv4 Address: 3.4.0.1 Ending IPv4 Address: 3.4.255.254 Custom URI: 3.4.0.1-3.4.255.254, 10.0.0.1-10.255.255.254 |
- Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Enterprise IPv6 Range | -Starting IPv6 Address: 2a01:110:: Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff, fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff |
- Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries. If you have multiple ranges, you must separate them using the "," delimiter. |
-
| Neutral Resources | -sts.contoso.com,sts.contoso2.com | -Specify your authentication redirection endpoints for your company. These locations are considered enterprise or personal, based on the context of the connection before the redirection. If you have multiple resources, you must separate them using the "," delimiter. |
-
Without proxy: contoso.sharepoint.com,contoso.visualstudio.com|Specify the cloud resources to be treated as corporate and protected by WIP.
For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.
If you have multiple resources, you must separate them using the "I" delimiter. If you don't use proxy servers, you must also include the "," delimiter just before the "I". For example: URL <,proxy>|URL <,proxy>
Important
In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can't tell whether it's attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the /*AppCompat*/ string to the setting. For example: URL <,proxy>|URL <,proxy>|/*AppCompat*/.|
+ |Enterprise Network Domain Names (Required)|corp.contoso.com,region.contoso.com|Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected.
This setting works with the IP ranges settings to detect whether a network endpoint is enterprise or personal on private networks.
If you have multiple resources, you must separate them using the "," delimiter.|
+ |Proxy servers|proxy.contoso.com:80;proxy2.contoso.com:443|Specify the proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Internal proxy servers list. Internal proxy servers must be used only for WIP-protected (enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.|
+ |Internal proxy servers|contoso.internalproxy1.com;contoso.internalproxy2.com|Specify the internal proxy servers your devices will go through to reach your cloud resources. Using this server type indicates that the cloud resources you're connecting to are enterprise resources.
This list shouldn't include any servers listed in your Proxy servers list. Proxy servers must be used only for non-WIP-protected (non-enterprise) traffic.
If you have multiple resources, you must separate them using the ";" delimiter.|
+ |Enterprise IPv4 Range (Required)|Starting IPv4 Address: 3.4.0.1
Ending IPv4 Address: 3.4.255.254
Custom URI: 3.4.0.1-3.4.255.254,
10.0.0.1-10.255.255.254|Specify the addresses for a valid IPv4 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.|
+ |Enterprise IPv6 Range|Starting IPv6 Address: 2a01:110::
Ending IPv6 Address: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff
Custom URI: 2a01:110:7fff:ffff:ffff:ffff:ffff:ffff,
fd00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff|Specify the addresses for a valid IPv6 value range within your intranet. These addresses, used with your Enterprise Network Domain Names, define your corporate network boundaries.
If you have multiple ranges, you must separate them using the "," delimiter.| + |Neutral Resources|sts.contoso.com,sts.contoso2.com|Specify your authentication redirection endpoints for your company.
These locations are considered enterprise or personal, based on the context of the connection before the redirection.
If you have multiple resources, you must separate them using the "," delimiter.| + 3. Add as many locations as you need, and then click **OK**. The **Add or edit corporate network definition** box closes. diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index 0442c3778a..370455c093 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -164,40 +164,15 @@ If you don't know the Store app publisher or product name, you can find them by To add **Desktop apps**, complete the following fields, based on what results you want returned. -
| Field | -Manages | -
|---|---|
| All fields marked as “*” | -All files signed by any publisher. (Not recommended and may not work) | -
| Publisher only | -If you only fill out this field, you’ll get all files signed by the named publisher. This might be useful if your company is the publisher and signer of internal line-of-business apps. |
-
| Publisher and Name only | -If you only fill out these fields, you’ll get all files for the specified product, signed by the named publisher. | -
| Publisher, Name, and File only | -If you only fill out these fields, you’ll get any version of the named file or package for the specified product, signed by the named publisher. | -
| Publisher, Name, File, and Min version only | -If you only fill out these fields, you’ll get the specified version or newer releases of the named file or package for the specified product, signed by the named publisher. This option is recommended for enlightened apps that weren't previously enlightened. |
-
| Publisher, Name, File, and Max version only | -If you only fill out these fields, you’ll get the specified version or older releases of the named file or package for the specified product, signed by the named publisher. | -
| All fields completed | -If you fill out all fields, you’ll get the specified version of the named file or package for the specified product, signed by the named publisher. | -
| Limitation | -How it appears | -Workaround | -
|---|---|---|
| Your enterprise data on USB drives might be tied to the device it was protected on, based on your Azure RMS configuration. | -If you’re using Azure RMS: Authenticated users can open enterprise data on USB drives, on computers running Windows 10, version 1703. If you’re not using Azure RMS: Data in the new location remains encrypted, but becomes inaccessible on other devices and for other users. For example, the file won't open or the file opens, but doesn't contain readable text. |
- Share files with fellow employees through enterprise file servers or enterprise cloud locations. If data must be shared via USB, employees can decrypt protected files, but it will be audited. We strongly recommend educating employees about how to limit or eliminate the need for this decryption. |
-
| Direct Access is incompatible with WIP. | -Direct Access might experience problems with how WIP enforces app behavior and data movement because of how WIP determines what is and isn’t a corporate network resource. | -We recommend that you use VPN for client access to your intranet resources. Note VPN is optional and isn’t required by WIP. |
-
| NetworkIsolation Group Policy setting takes precedence over MDM Policy settings. | -The NetworkIsolation Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured. | -If you use both Group Policy and MDM to configure your NetworkIsolation settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM. | -
| Cortana can potentially allow data leakage if it’s on the allowed apps list. | -If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft. | -We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app. | -
| WIP is designed for use by a single user per device. | -A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process. | -We recommend only having one user per managed device. | -
| Installers copied from an enterprise network file share might not work properly. | -An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action. | -To fix this, you can:
-
|
-
| Changing your primary Corporate Identity isn’t supported. | -You might experience various instabilities, including but not limited to network and file access failures, and potentially granting incorrect access. | -Turn off WIP for all devices before changing the primary Corporate Identity (first entry in the list), restarting, and finally redeploying. | -
| Redirected folders with Client-Side Caching are not compatible with WIP. | -Apps might encounter access errors while attempting to read a cached, offline file. | -Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business. Note For more info about Work Folders and Offline Files, see the blog, Work Folders and Offline Files support for Windows Information Protection. If you're having trouble opening files offline while using Offline Files and WIP, see the support article, Can't open files offline when you use Offline Files and Windows Information Protection. |
-
| An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device. | -Data copied from the WIP-managed device is marked as Work. Data copied to the WIP-managed device is not marked as Work. Local Work data copied to the WIP-managed device remains Work data. Work data that is copied between two apps in the same session remains data. |
- Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default. | -
| You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer. | -A message appears stating that the content is marked as Work and the user isn't given an option to override to Personal. | -Open File Explorer and change the file ownership to Personal before you upload. | -
| ActiveX controls should be used with caution. | -Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP. | -We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology. For more info, see Out-of-date ActiveX control blocking. |
-
| Resilient File System (ReFS) isn't currently supported with WIP. | -Trying to save or transfer WIP files to ReFS will fail. | -Format drive for NTFS, or use a different drive. | -
WIP isn’t turned on if any of the following folders have the MakeFolderAvailableOfflineDisabled option set to False:
-
|
- WIP isn’t turned on for employees in your organization. Error code 0x807c0008 will result if WIP is deployed by using Microsoft Endpoint Configuration Manager. | -Don’t set the MakeFolderAvailableOfflineDisabled option to False for any of the specified folders. You can configure this parameter, as described here. If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see Can't open files offline when you use Offline Files and Windows Information Protection. - |
-
| Only enlightened apps can be managed without device enrollment - | -If a user enrolls a device for Mobile Application Management (MAM) without device enrollment, only enlightened apps will be managed. This is by design to prevent personal files from being unintentionally encrypted by unenlighted apps. Unenlighted apps that need to access work using MAM need to be re-compiled as LOB apps or managed by using MDM with device enrollment. | -If all apps need to be managed, enroll the device for MDM. - | -
| By design, files in the Windows directory (%windir% or C:/Windows) cannot be encrypted because they need to be accessed by any user. If a file in the Windows directory gets encrypted by one user, other users can't access it. |
- Any attempt to encrypt a file in the Windows directory will return a file access denied error. But if you copy or drag and drop an encrypted file to the Windows directory, it will retain encryption to honor the intent of the owner. - | -If you need to save an encrypted file in the Windows directory, create and encrypt the file in a different directory and copy it. - | -
| OneNote notebooks on OneDrive for Business must be properly configured to work with WIP. | -OneNote might encounter errors syncing a OneDrive for Business notebook and suggest changing the file ownership to Personal. Attempting to view the notebook in OneNote Online in the browser will show an error and unable to view it. | -"OneNote notebooks that are newly copied into the OneDrive for Business folder from File Explorer should get fixed automatically. To do this, follow these steps: -1. Close the notebook in OneNote. -2. Move the notebook folder via File Explorer out of the OneDrive for Business folder to another location, such as the Desktop. -3. Copy the notebook folder and Paste it back into the OneDrive for Business folder. - -Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button. | -
| Microsoft Office Outlook offline data files (PST and OST files) are not marked as Work files, and are therefore not protected. - | -If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected. - | -It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually. - | -
**Note** VPN is optional and isn’t required by WIP.| +|**NetworkIsolation** Group Policy setting takes precedence over MDM Policy settings.|The **NetworkIsolation** Group Policy setting can configure network settings that can also be configured by using MDM. WIP relies on these policies being correctly configured.|If you use both Group Policy and MDM to configure your **NetworkIsolation** settings, you must make sure that those same settings are deployed to your organization using both Group Policy and MDM.| +|Cortana can potentially allow data leakage if it’s on the allowed apps list.|If Cortana is on the allowed list, some files might become unexpectedly encrypted after an employee performs a search using Cortana. Your employees will still be able to use Cortana to search and provide results on enterprise documents and locations, but results might be sent to Microsoft.|We don’t recommend adding Cortana to your allowed apps list. However, if you wish to use Cortana and don't mind whether the results potentially go to Microsoft, you can make Cortana an Exempt app.| +|WIP is designed for use by a single user per device.|A secondary user on a device might experience app compatibility issues when unenlightened apps start to automatically encrypt for all users. Additionally, only the initial, enrolled user’s content can be revoked during the unenrollment process.|We recommend only having one user per managed device.| +|Installers copied from an enterprise network file share might not work properly.|An app might fail to properly install because it can’t read a necessary configuration or data file, such as a .cab or .xml file needed for installation, which was protected by the copy action.|To fix this, you can:
-OR-
-OR-
**Note** For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/)". If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).| +|An unmanaged device can use Remote Desktop Protocol (RDP) to connect to a WIP-managed device.|Data copied from the WIP-managed device is marked as **Work**.Data copied to the WIP-managed device is not marked as **Work**.Local **Work** data copied to the WIP-managed device remains **Work** data.**Work** data that is copied between two apps in the same session remains ** data.|Disable RDP to prevent access because there is no way to restrict access to only devices managed by WIP. RDP is disabled by default.| +|You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.|A message appears stating that the content is marked as **Work** and the user isn't given an option to override to **Personal**.|Open File Explorer and change the file ownership to **Personal** before you upload.| +|ActiveX controls should be used with caution.|Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.|We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.For more info, see [Out-of-date ActiveX control blocking](/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).| +|Resilient File System (ReFS) isn't currently supported with WIP.|Trying to save or transfer WIP files to ReFS will fail.|Format drive for NTFS, or use a different drive.| +|WIP isn’t turned on if any of the following folders have the **MakeFolderAvailableOfflineDisabled** option set to **False**:
Wait a few minutes to allow OneDrive to finish syncing & upgrading the notebook, and the folder should automatically convert to an Internet Shortcut. Opening the shortcut will open the notebook in the browser, which can then be opened in the OneNote client by using the “Open in app” button.| +|Microsoft Office Outlook offline data files (PST and OST files) are not marked as **Work** files, and are therefore not protected.|If Microsoft Office Outlook is set to work in cached mode (default setting), or if some emails are stored in a local PST file, the data is unprotected.|It is recommended to use Microsoft Office Outlook in Online mode, or to use encryption to protect OST and PST files manually.| > [!NOTE] > When corporate data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity. One caveat to keep in mind is that the Preview Pane in File Explorer will not work for encrypted files. - - - > [!NOTE] > Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to our content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). \ No newline at end of file diff --git a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md index c2b7cb2188..0bc4cc6341 100644 --- a/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md +++ b/windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md @@ -31,141 +31,20 @@ You can try any of the processes included in these scenarios, but you should foc >[!IMPORTANT] >If any of these scenarios does not work, first take note of whether WIP has been revoked. If it has, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted. -
| Scenario | -Processes | -
|---|---|
| Encrypt and decrypt files using File Explorer. | -For desktop: -
-
|
-
| Create work documents in enterprise-allowed apps. | -For desktop: -
-
|
| Block enterprise data from non-enterprise apps. | -
-
|
-
| Copy and paste from enterprise apps to non-enterprise apps. | -
-
|
-
| Drag and drop from enterprise apps to non-enterprise apps. | -
-
|
-
| Share between enterprise apps and non-enterprise apps. | -
-
|
-
| Verify that Windows system components can use WIP. | -
-
|
-
| Use WIP on NTFS, FAT, and exFAT systems. | -
-
|
-
| Verify your shared files can use WIP. | -
-
|
-
| Verify your cloud resources can use WIP. | -
-
|
-
| Verify your Virtual Private Network (VPN) can be auto-triggered. | -
-
|
-
| Unenroll client devices from WIP. | -
-
|
-
.exe and .dll, along with certain file paths, such as %windir% and %programfiles% are excluded from automatic encryption.| Specific EMET features | -How these EMET features map -to Windows 10 features |
-
|---|---|
|
-DEP, SEHOP, and ASLR are included in Windows 10 as configurable features. See Table 2, earlier in this topic. -You can install the ProcessMitigations PowerShell module to convert your EMET settings for these features into policies that you can apply to Windows 10. |
-
|
-LoadLib and MemProt are supported in Windows 10, for all applications that are written to use these functions. See Table 4, earlier in this topic. | -
|
-Mitigations for this threat are built into Windows 10, as described in the "Memory reservations" item in Kernel pool protections, earlier in this topic. | -
|
-Windows 10 does not include mitigations that map specifically to these EMET features because they have low impact in the current threat landscape, and do not significantly increase the difficulty of exploiting vulnerabilities. Microsoft remains committed to monitoring the security environment as new exploits appear and taking steps to harden the operating system against them. | -
|
-Mitigated in Windows 10 with applications compiled with Control Flow Guard, as described in Control Flow Guard, earlier in this topic. | -
| Hardware | -Motivation | -
|---|---|
UEFI 2.3.1 or later firmware with Secure Boot enabled |
-Required to support UEFI Secure Boot. -UEFI Secure Boot ensures that the device boots only authorized code. -Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby” |
-
Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled |
-Required to support virtualization-based security. -
-Note
-Device Guard can be enabled without using virtualization-based security. -
-
- |
-
X64 processor |
-Required to support virtualization-based security that uses Windows Hypervisor. Hyper-V is supported only on x64 processor (and not on x86). -Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies. |
-
IOMMU, such as Intel VT-d, AMD-Vi |
-Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks. |
-
Trusted Platform Module (TPM) |
-Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1) |
-
UEFI Secure Boot ensures that the device boots only authorized code.
Additionally, Boot Integrity (Platform Secure Boot) must be supported following the requirements in Hardware Compatibility Specification for Systems for Windows 10 under the subsection: “System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby”| +|Virtualization extensions, such as Intel VT-x, AMD-V, and SLAT must be enabled|Required to support virtualization-based security.
Direct Memory Access (DMA) protection can be enabled to provide additional memory protection but requires processors to include DMA protection technologies.| +|IOMMU, such as Intel VT-d, AMD-Vi|Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.| +|Trusted Platform Module (TPM)|Required to support health attestation and necessary for additional key protections for virtualization-based security. TPM 2.0 is supported. Support for TPM 1.2 was added beginning in Windows 10, version 1607 (RS1)| This section presented information about several closely related controls in Windows 10. The multi-layer defenses and in-depth approach helps to eradicate low-level malware during boot sequence. Virtualization-based security is a fundamental operating system architecture change that adds a new security boundary. Device Guard and Credential Guard respectively help to block untrusted code and protect corporate domain credentials from theft and reuse. This section also briefly discussed the importance of managing devices and patching vulnerabilities. All these technologies can be used to harden and lock down devices while limiting the risk of attackers compromising them. @@ -591,36 +555,9 @@ For completeness of the measurements, see [Health Attestation CSP](/windows/clie The following table presents some key items that can be reported back to MDM depending on the type of Windows 10-based device. -
| OS type | -Key items that can be reported | -
|---|---|
Windows 10 for desktop editions |
-
|
-