From ce461eb67c6a79f335e1b802bfc4f4b8a1e4690e Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 27 Apr 2023 14:33:55 -0400 Subject: [PATCH 1/9] Remove duplication --- windows/client-management/esim-enterprise-management.md | 8 +++++++- windows/client-management/toc.yml | 2 ++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index 59197ad641..a743593867 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -20,9 +20,15 @@ The eSIM Profile Management Solution places the Mobile Device Management (MDM) P If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this capability to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. + + As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. + + Potential orchestrator providers you could contact include: + - [HPE Device Entitlement Gateway](https://www.hpe.com/emea_europe/en/solutions/digital-communications-services.html) - [IDEMIA The Smart Connect - Hub](https://www.idemia.com/smart-connect-hub) + - Assess solution type that you would like to provide your customers - Batch/offline solution - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. diff --git a/windows/client-management/toc.yml b/windows/client-management/toc.yml index 5b714f4154..9a48d7372f 100644 --- a/windows/client-management/toc.yml +++ b/windows/client-management/toc.yml @@ -52,6 +52,8 @@ items: href: config-lock.md - name: Certificate renewal href: certificate-renewal-windows-mdm.md + - name: eSIM management + href: esim-enterprise-management.md - name: Diagnose MDM failures expanded: false items: From 79ad804c474368b77c8e93b53ba3377b73451dc7 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 27 Apr 2023 14:53:25 -0400 Subject: [PATCH 2/9] acro-changes --- .../client-management/esim-enterprise-management.md | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/windows/client-management/esim-enterprise-management.md b/windows/client-management/esim-enterprise-management.md index a743593867..48902df441 100644 --- a/windows/client-management/esim-enterprise-management.md +++ b/windows/client-management/esim-enterprise-management.md @@ -15,14 +15,16 @@ appliesto: # How Mobile Device Management Providers support eSIM Management on Windows -The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and be able to use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/de-assignment, etc.) the same way as they currently do device management. +The eSIM Profile Management Solution places the Mobile Device Management (MDM) Provider in the front and center. The whole idea is to use an already-existing solution that customers are familiar with and use to manage devices. -If you are a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: +The expectations from an MDM are that it will use the same sync mechanism that it uses for device policies to push any policy to the eSIM profile, and use Groups and Users the same way. This way, the eSIM profile download and the installation happen in the background without impacting the end user. Similarly, the IT admin would use the same method of managing the eSIM profiles (Assignment/un-assignment, etc.) the same way as they currently do device management. + +If you're a Mobile Device Management (MDM) Provider and want to support eSIM Management on Windows, perform the following steps: - Onboard to Azure Active Directory -- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for eSIM profiles to be managed by MDM providers in the case of enterprise use cases. However, Windows does not limit how ecosystem partners might want to offer this to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This makes it possible to remotely manage the eSIM profiles according to the company policies. +- Contact mobile operators directly or contact orchestrator providers. Windows provides the capability for MDM providers to manager eSIM profiles for enterprise use cases. However, Windows doesn't limit how ecosystem partners offer this service to their own partners and/or customers. As such, the eSIM profile management capability is something that can be supported by integrating with the Windows OMA-DM. This characteristic makes it possible to remotely manage the eSIM profiles according to the company policies. - As an MDM provider, if you are looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. + As an MDM provider, if you're looking to integrate/onboard to a mobile operator on a 1:1 basis, contact them and learn more about their onboarding. If you would like to integrate and work with only one MDM provider, contact that provider directly. If you would like to offer eSIM management to customers using different MDM providers, contact an orchestrator provider. Orchestrator providers act as proxy handling MDM onboarding and as a mobile operator onboarding. Their role is to make the process as painless and scalable as possible for all parties. Potential orchestrator providers you could contact include: @@ -34,7 +36,7 @@ If you are a Mobile Device Management (MDM) Provider and want to support eSIM Ma - IT Admin can manually import a flat file containing list of eSIM activation codes, and provision eSIM on LTE enabled devices. - Operator doesn't have visibility over status of the eSIM profiles and device eSIM has been downloaded and installed to - Real-time solution -- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via sim vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. +- MDM automatically syncs with the Operator backend system for subscription pool and eSIM management, via SIM vendor solution component. IT Admin can view subscription pool and provision eSIM in real time. - Operator is notified of the status of each eSIM profile and has visibility on which devices are being used > [!NOTE] From 2752ed647949ef269412e697576d4c41b4339f1c Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Thu, 27 Apr 2023 15:22:29 -0400 Subject: [PATCH 3/9] Learn Editor: Update new-in-windows-mdm-enrollment-management.md --- .../new-in-windows-mdm-enrollment-management.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/windows/client-management/new-in-windows-mdm-enrollment-management.md b/windows/client-management/new-in-windows-mdm-enrollment-management.md index 194c51ac66..b1f316d46d 100644 --- a/windows/client-management/new-in-windows-mdm-enrollment-management.md +++ b/windows/client-management/new-in-windows-mdm-enrollment-management.md @@ -19,7 +19,7 @@ appliesto: This article provides information about what's new in mobile device management (MDM) enrollment and management experience across all Windows devices. This article also provides details about the breaking changes and known issues and frequently asked questions. -For details about Microsoft mobile device management protocols for Windows, see [\[MS-MDM\]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). +For details about Microsoft mobile device management protocols for Windows, see [[MS-MDM]: Mobile Device Management Protocol](/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) and [[MS-MDE2]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347). ## What's new in MDM for Windows 11, version 22H2 @@ -28,7 +28,7 @@ For details about Microsoft mobile device management protocols for Windows, see | [DeviceStatus](mdm/devicestatus-csp.md) | Added the following node:
  • MDMClientCertAttestation | | [eUUICs](mdm/euiccs-csp.md) | Added the following node:
  • IsDiscoveryServer | | [PersonalDataEncryption](mdm/personaldataencryption-csp.md) | New CSP | -| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnabledSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | +| [Policy CSP](mdm/policy-configuration-service-provider.md) | Added the following nodes:
  • Accounts/RestrictToEnterpriseDeviceAuthenticationOnly
  • DesktopAppInstaller/EnableAdditionalSources
  • DesktopAppInstaller/EnableAllowedSources
  • DesktopAppInstaller/EnableAppInstaller
  • DesktopAppInstaller/EnableDefaultSource
  • DesktopAppInstaller/EnableExperimentalFeatures
  • DesktopAppInstaller/EnableHashOverride
  • DesktopAppInstaller/EnableLocalManifestFiles
  • DesktopAppInstaller/EnableMicrosoftStoreSource
  • DesktopAppInstaller/EnableMSAppInstallerProtocol
  • DesktopAppInstaller/EnableSettings
  • DesktopAppInstaller/SourceAutoUpdateInterval
  • Education/EnableEduThemes
  • Experience/AllowSpotlightCollectionOnDesktop
  • FileExplorer/DisableGraphRecentItems
  • HumanPresence/ForceInstantDim
  • InternetExplorer/EnableGlobalWindowListInIEMode
  • InternetExplorer/HideIEAppRetirementNotification
  • InternetExplorer/ResetZoomForDialogInIEMode
  • LocalSecurityAuthority/AllowCustomSSPsAPs
  • LocalSecurityAuthority/ConfigureLsaProtectedProcess
  • MixedReality/AllowCaptivePortalBeforeLogon
  • MixedReality/AllowLaunchUriInSingleAppKiosk
  • MixedReality/AutoLogonUser
  • MixedReality/ConfigureMovingPlatform
  • MixedReality/ConfigureNtpClient
  • MixedReality/ManualDownDirectionDisabled
  • MixedReality/NtpClientEnabled
  • MixedReality/SkipCalibrationDuringSetup
  • MixedReality/SkipTrainingDuringSetup
  • NetworkListManager/AllowedTlsAuthenticationEndpoints
  • NetworkListManager/ConfiguredTLSAuthenticationNetworkName
  • Printers/ConfigureCopyFilesPolicy
  • Printers/ConfigureDriverValidationLevel
  • Printers/ConfigureIppPageCountsPolicy
  • Printers/ConfigureRedirectionGuard
  • Printers/ConfigureRpcConnectionPolicy
  • Printers/ConfigureRpcListenerPolicy
  • Printers/ConfigureRpcTcpPort
  • Printers/ManageDriverExclusionList
  • Printers/RestrictDriverInstallationToAdministrators
  • RemoteDesktopServices/DoNotAllowWebAuthnRedirection
  • Search/AllowSearchHighlights
  • Search/DisableSearch
  • SharedPC/EnableSharedPCModeWithOneDriveSync
  • Start/DisableControlCenter
  • Start/DisableEditingQuickSettings
  • Start/HideRecommendedSection
  • Start/HideTaskViewButton
  • Start/SimplifyQuickSettings
  • Stickers/EnableStickers
  • Textinput/allowimenetworkaccess
  • Update/NoUpdateNotificationDuringActiveHours
  • WebThreatDefense/EnableService
  • WebThreatDefense/NotifyMalicious
  • WebThreatDefense/NotifyPasswordReuse
  • WebThreatDefense/NotifyUnsafeApp
  • Windowslogon/EnableMPRNotifications | | [SecureAssessment](mdm/secureassessment-csp.md) | Added the following node:
  • Assessments | | [WindowsAutopilot](mdm/windowsautopilot-csp.md) | Added the following node:
  • HardwareMismatchRemediationData | @@ -93,3 +93,4 @@ For details about Microsoft mobile device management protocols for Windows, see | [WindowsDefenderApplicationGuard CSP](mdm/windowsdefenderapplicationguard-csp.md) | Added new settings. | | [WindowsLicensing CSP](mdm/windowslicensing-csp.md) | Added S mode settings and SyncML examples. | | [Win32CompatibilityAppraiser CSP](mdm/win32compatibilityappraiser-csp.md) | New CSP. | + From b76a9c46a22b62557feec4f67d13a7b1722efb43 Mon Sep 17 00:00:00 2001 From: Harman Thind <63820404+hathin@users.noreply.github.com> Date: Thu, 27 Apr 2023 15:31:39 -0700 Subject: [PATCH 4/9] removed Unlicensed admin check we are no longer required to check for unlicensed admin for Autopatch. Removed this from the assessment tool and ready to stage this PR as soon as possible @tiaraquan FYI --- .../prepare/windows-autopatch-fix-issues.md | 8 -------- 1 file changed, 8 deletions(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md index a180a874ec..413d997112 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-fix-issues.md @@ -37,14 +37,6 @@ For each check, the tool will report one of four possible results: You can access Intune settings at the [Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431). -### Unlicensed admins - -This setting must be turned on to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. - -| Result | Meaning | -| ----- | ----- | -| Not ready | Allow access to unlicensed admins should be turned on. Without this setting enabled, errors can occur when we try to access your Azure AD organization for service. You can safely enable this setting without worrying about security implications. The scope of access is defined by the roles assigned to users, including our operations staff.

    For more information, see [Unlicensed admins](/mem/intune/fundamentals/unlicensed-admins). | - ### Update rings for Windows 10 or later Your "Update rings for Windows 10 or later" policy in Intune must not target any Windows Autopatch devices. From 7c4080a7a54d7a8f7d77fb86bbb5e859dd26eaaa Mon Sep 17 00:00:00 2001 From: Harman Thind <63820404+hathin@users.noreply.github.com> Date: Thu, 27 Apr 2023 15:37:22 -0700 Subject: [PATCH 5/9] removed unlicensed admin from enroll tenant docs @tiaraquan FYI on this change, no longer need this check in the assessment. Good to stage ASAP --- .../windows-autopatch/prepare/windows-autopatch-enroll-tenant.md | 1 - 1 file changed, 1 deletion(-) diff --git a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md index 7e202554d2..4ca771cece 100644 --- a/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md +++ b/windows/deployment/windows-autopatch/prepare/windows-autopatch-enroll-tenant.md @@ -52,7 +52,6 @@ The following are the Microsoft Intune settings: | Check | Description | | ----- | ----- | | Deployment rings for Windows 10 or later | Verifies that Intune's deployment rings for Windows 10 or later policy doesn't target all users or all devices. Policies of this type shouldn't target any Windows Autopatch devices. For more information, see [Configure deployment rings for Windows 10 and later in Intune](/mem/intune/protect/windows-10-update-rings). | -| Unlicensed admin | Verifies that this setting is enabled to avoid a "lack of permissions" error when we interact with your Azure Active Directory (AD) organization. For more information, see [Unlicensed admins in Microsoft Intune](/mem/intune/fundamentals/unlicensed-admins). | ### Azure Active Directory settings From cd0e07b04672a24808d75cda3b4e077560062718 Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 28 Apr 2023 12:03:58 -0400 Subject: [PATCH 6/9] Add LDAP server channel binding token requirements --- .../security-policy-settings/TOC.yml | 20 +++-- ...rver-channel-binding-token-requirements.md | 90 +++++++++++++++++++ 2 files changed, 101 insertions(+), 9 deletions(-) create mode 100644 windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml index 1e4b1fa586..df9030461f 100644 --- a/windows/security/threat-protection/security-policy-settings/TOC.yml +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -1,22 +1,22 @@ - name: Security policy settings href: security-policy-settings.md - items: + items: - name: Administer security policy settings href: administer-security-policy-settings.md - items: + items: - name: Network List Manager policies href: network-list-manager-policies.md - name: Configure security policy settings href: how-to-configure-security-policy-settings.md - name: Security policy settings reference href: security-policy-settings-reference.md - items: + items: - name: Account Policies href: account-policies.md - items: + items: - name: Password Policy href: password-policy.md - items: + items: - name: Enforce password history href: enforce-password-history.md - name: Maximum password age @@ -31,7 +31,7 @@ href: store-passwords-using-reversible-encryption.md - name: Account Lockout Policy href: account-lockout-policy.md - items: + items: - name: Account lockout duration href: account-lockout-duration.md - name: Account lockout threshold @@ -40,7 +40,7 @@ href: reset-account-lockout-counter-after.md - name: Kerberos Policy href: kerberos-policy.md - items: + items: - name: Enforce user logon restrictions href: enforce-user-logon-restrictions.md - name: Maximum lifetime for service ticket @@ -55,7 +55,7 @@ href: audit-policy.md - name: Security Options href: security-options.md - items: + items: - name: "Accounts: Administrator account status" href: accounts-administrator-account-status.md - name: "Accounts: Block Microsoft accounts" @@ -92,6 +92,8 @@ href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md - name: "Domain controller: Allow server operators to schedule tasks" href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server channel binding token requirements" + href: domain-controller-ldap-server-channel-binding-token-requirements.md - name: "Domain controller: LDAP server signing requirements" href: domain-controller-ldap-server-signing-requirements.md - name: "Domain controller: Refuse machine account password changes" @@ -250,7 +252,7 @@ href: secpol-advanced-security-audit-policy-settings.md - name: User Rights Assignment href: user-rights-assignment.md - items: + items: - name: Access Credential Manager as a trusted caller href: access-credential-manager-as-a-trusted-caller.md - name: Access this computer from the network diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md new file mode 100644 index 0000000000..f76a21b998 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -0,0 +1,90 @@ +--- +title: Domain controller LDAP server channel binding token requirements +description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting. +ms.reviewer: +ms.author: waynmc +ms.prod: windows-client +ms.localizationpriority: medium +author: waynmc-msft +manager: rizhang +ms.topic: conceptual +ms.date: 04/26/2023 +ms.technology: itpro-security +--- + +# Domain controller: LDAP server channel binding token requirements + +**Applies to**: + +- Windows Server + +This article describes the best practices, location, values, and security considerations for the **Domain controller: LDAP server channel binding token requirements** security policy setting. + +## Reference + +This policy setting determines whether the Lightweight Directory Access Protocol (LDAP) server requires LDAP clients to negotiate channel bindings (EPA). + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks, where an intruder captures packets between the server and the client device and modifies them before forwarding them to the client device. In the example of an LDAP server, a malicious user can cause a client device to make decisions based on false records from the LDAP directory. You can lower this risk in a corporate network by implementing strong physical security measures to protect the network infrastructure. Furthermore, implementing Internet Protocol security (IPsec) Authentication Header mode, which provides mutual authentication and packet integrity for IP traffic, can make all types of man-in-the-middle attacks difficult. + +- If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected. +- If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS. + +CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. Ldap Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended. + +### Possible values + +- Never: No channel binding validation is performed. This is the behavior of all servers that haven't been updated. +- When Supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility. +- Always: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so. + +### Best practices + +We recommend that you set **Domain controller: LDAP server channel binding token requirements** to **Always**. Clients that don't support LDAP channel binding will be unable to execute LDAP queries against the domain controllers. + +### Location + +Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Security Options + +### Default values + +The following table lists the actual and effective default values for this policy. Default values are also listed on the policy's property page. + +| Server type or GPO | Default value | +|--------------------------------------------|---------------| +| Default Domain Policy | Not defined | +| Default Domain Controller Policy | Not defined | +| Stand-Alone Server Default Settings | Not defined | +| DC Effective Default Settings | None | +| Member Server Effective Default Settings | None | +| Client Computer Effective Default Settings | None | + +## Policy management + +This section describes features and tools that are available to help you manage this policy. + +### Restart requirement + +None. Changes to this policy become effective without a device restart when they're saved locally or distributed through Group Policy. + +## Security considerations + +This section describes how an attacker might exploit a feature or its configuration, how to implement the countermeasure, and the possible negative consequences of countermeasure implementation. + +### Vulnerability + +Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks. In such attacks, an intruder captures packets between the server and the client device, modifies them, and then forwards them to the client device. Regarding LDAP servers, an attacker could cause a client device to make decisions that are based on false records from the LDAP directory. To lower the risk of such an intrusion in an organization's network, you can implement strong physical security measures to protect the network infrastructure. You could also implement Internet Protocol security (IPsec) Authentication Header mode, which performs mutual authentication and packet integrity for IP traffic to make all types of man-in-the-middle attacks difficult. + +### Countermeasure + +Configure the **Domain controller: LDAP server channel binding token requirements** setting to **Always**. + +### Potential impact + +Client devices that don't support LDAP channel binding can't run LDAP queries against the domain controllers. + +## Related articles + +- [Security Options](security-options.md) +- [LDAP session security settings and requirements after ADV190023 is installed](/troubleshoot/windows-server/identity/ldap-session-security-settings-requirements-adv190023) +- [2020 LDAP channel binding and LDAP signing requirements for Windows (KB4520412)](https://support.microsoft.com/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-kb4520412-ef185fb8-00f7-167d-744c-f299a66fc00a) +- [KB4034879: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure](https://support.microsoft.com/topic/kb4034879-use-the-ldapenforcechannelbinding-registry-entry-to-make-ldap-authentication-over-ssl-tls-more-secure-e9ecfa27-5e57-8519-6ba3-d2c06b21812e) From aafa955ae41aa5ff01d145aaea42f9b1d2af9b0f Mon Sep 17 00:00:00 2001 From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Date: Fri, 28 Apr 2023 12:09:59 -0400 Subject: [PATCH 7/9] update metadata --- ...roller-ldap-server-channel-binding-token-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md index f76a21b998..8328477019 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -1,12 +1,12 @@ --- title: Domain controller LDAP server channel binding token requirements description: Describes the best practices, location, values, and security considerations for the Domain controller LDAP server channel binding token requirements security policy setting. -ms.reviewer: +ms.reviewer: waynmc ms.author: waynmc ms.prod: windows-client ms.localizationpriority: medium -author: waynmc-msft -manager: rizhang +author: vinaypamnani-msft +manager: aaroncz ms.topic: conceptual ms.date: 04/26/2023 ms.technology: itpro-security From 28ae62ccd6e65ab34ded23138f3fc90d2a94bbbc Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 28 Apr 2023 15:02:22 -0600 Subject: [PATCH 8/9] Apply suggestions from code review Bolding the options --- ...roller-ldap-server-channel-binding-token-requirements.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md index 8328477019..f17b958e97 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -33,9 +33,9 @@ CBT or EPA is used with TLS sessions when a SASL authentication method is used t ### Possible values -- Never: No channel binding validation is performed. This is the behavior of all servers that haven't been updated. -- When Supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility. -- Always: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so. +- **Never**: No channel binding validation is performed. This is the behavior of all servers that haven't been updated. +- **When Supported**: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that don't advertise such support and/or don't use TLS/SSL connections aren't impacted. This is an intermediate option that allows for application compatibility. +- **Always**: All clients must provide channel binding information over LDAPS. The server rejects LDAPS authentication requests from clients that don't do so. ### Best practices From 10d0ac51b81bf781524d09735cf6618e24fb33ea Mon Sep 17 00:00:00 2001 From: Angela Fleischmann Date: Fri, 28 Apr 2023 15:05:47 -0600 Subject: [PATCH 9/9] Update domain-controller-ldap-server-channel-binding-token-requirements.md Line 32: Ldap > LDAP NOTE: NO change to line 90. --- ...controller-ldap-server-channel-binding-token-requirements.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md index f17b958e97..24614ad5c4 100644 --- a/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md +++ b/windows/security/threat-protection/security-policy-settings/domain-controller-ldap-server-channel-binding-token-requirements.md @@ -29,7 +29,7 @@ Unsigned/Unprotected network traffic is susceptible to man-in-the-middle attacks - If channel binding is set to Always, LDAP clients who don't support channel bindings will be rejected. - If channel binding is set to when supported, only incorrect channel bindings will be blocked, and clients who don't support channel binding can continue to connect via LDAP over TLS. -CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. Ldap Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended. +CBT or EPA is used with TLS sessions when a SASL authentication method is used to authenticate the user. SASL means you use NTLM or Kerberos for user authentication. LDAP Simple Bind over TLS doesn't offer channel binding token protection and is therefore not recommended. ### Possible values