diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index b15fa65bb2..81696cd310 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -79,6 +79,11 @@ "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md", "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-exploit-protection-mitigations", "redirect_document_id": true + }, + { + "source_path": "windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md", + "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ios-privacy", + "redirect_document_id": true }, { "source_path": "windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md", diff --git a/windows/application-management/apps-in-windows-10.md b/windows/application-management/apps-in-windows-10.md index 9d150d9583..31da1afc51 100644 --- a/windows/application-management/apps-in-windows-10.md +++ b/windows/application-management/apps-in-windows-10.md @@ -39,53 +39,53 @@ You can list all provisioned Windows apps with this PowerShell command: Get-AppxProvisionedPackage -Online | Format-Table DisplayName, PackageName ``` -Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, and 1909. +Here are the provisioned Windows apps in Windows 10 versions 1803, 1809, 1903, 1909, and 2004. -| Package name | App name | 1803 | 1809 | 1903 | 1909 | Uninstall through UI? | -|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:---------------------:| -| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | Yes | -| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | Via Settings App | -| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | Yes | -| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | | -| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | No | -| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.VP9VideoExtensions | | | x | x | x | No | -| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | No | -| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | No | -| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | No | -| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | No | -| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | No | +| Package name | App name | 1803 | 1809 | 1903 | 1909 | 2004 | Uninstall through UI? | +|----------------------------------------------|--------------------------------------------------------------------------------------------------------------------|:----:|:----:|:----:|:----:|:----:|:---------------------:| +| Microsoft.3DBuilder | [3D Builder](ms-windows-store://pdp/?PFN=Microsoft.3DBuilder_8wekyb3d8bbwe) | | | | | | Yes | +| Microsoft.BingWeather | [MSN Weather](ms-windows-store://pdp/?PFN=Microsoft.BingWeather_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.DesktopAppInstaller | [App Installer](ms-windows-store://pdp/?PFN=Microsoft.DesktopAppInstaller_8wekyb3d8bbwe) | x | x | x | x | x | Via Settings App | +| Microsoft.GetHelp | [Get Help](ms-windows-store://pdp/?PFN=Microsoft.Gethelp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Getstarted | [Microsoft Tips](ms-windows-store://pdp/?PFN=Microsoft.Getstarted_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.HEIFImageExtension | [HEIF Image Extensions](ms-windows-store://pdp/?PFN=Microsoft.HEIFImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Messaging | [Microsoft Messaging](ms-windows-store://pdp/?PFN=Microsoft.Messaging_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Microsoft3DViewer | [Mixed Reality Viewer](ms-windows-store://pdp/?PFN=Microsoft.Microsoft3DViewer_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MicrosoftOfficeHub | [Office](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftOfficeHub_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftSolitaireCollection | [Microsoft Solitaire Collection](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.MicrosoftStickyNotes | [Microsoft Sticky Notes](ms-windows-store://pdp/?PFN=Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.MixedReality.Portal | [Mixed Reality Portal](ms-windows-store://pdp/?PFN=Microsoft.MixedReality.Portal_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.MSPaint | [Paint 3D](ms-windows-store://pdp/?PFN=Microsoft.MSPaint_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Office.OneNote | [OneNote for Windows 10](ms-windows-store://pdp/?PFN=Microsoft.Office.OneNote_8wekyb3d8bbwe) | x | x | x | x | x | Yes | +| Microsoft.OneConnect | [Mobile Plans](ms-windows-store://pdp/?PFN=Microsoft.OneConnect_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Outlook.DesktopIntegrationServices | | | | | x | x | | +| Microsoft.People | [Microsoft People](ms-windows-store://pdp/?PFN=Microsoft.People_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Print3D | [Print 3D](ms-windows-store://pdp/?PFN=Microsoft.Print3D_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ScreenSketch | [Snip & Sketch](ms-windows-store://pdp/?PFN=Microsoft.ScreenSketch_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.SkypeApp | [Skype](ms-windows-store://pdp/?PFN=Microsoft.SkypeApp_kzf8qxf38zg5c) | x | x | x | x | x | No | +| Microsoft.StorePurchaseApp | [Store Purchase App](ms-windows-store://pdp/?PFN=Microsoft.StorePurchaseApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.VP9VideoExtensions | | | x | x | x | x | No | +| Microsoft.Wallet | [Microsoft Pay](ms-windows-store://pdp/?PFN=Microsoft.Wallet_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebMediaExtensions | [Web Media Extensions](ms-windows-store://pdp/?PFN=Microsoft.WebMediaExtensions_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WebpImageExtension | [Webp Image Extension](ms-windows-store://pdp/?PFN=Microsoft.WebpImageExtension_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.Windows.Photos | [Microsoft Photos](ms-windows-store://pdp/?PFN=Microsoft.Windows.Photos_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsAlarms | [Windows Alarms & Clock](ms-windows-store://pdp/?PFN=Microsoft.WindowsAlarms_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCalculator | [Windows Calculator](ms-windows-store://pdp/?PFN=Microsoft.WindowsCalculator_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsCamera | [Windows Camera](ms-windows-store://pdp/?PFN=Microsoft.WindowsCamera_8wekyb3d8bbwe) | x | x | x | x | x | No | +| microsoft.windowscommunicationsapps | [Mail and Calendar](ms-windows-store://pdp/?PFN=microsoft.windowscommunicationsapps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsFeedbackHub | [Feedback Hub](ms-windows-store://pdp/?PFN=Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsMaps | [Windows Maps](ms-windows-store://pdp/?PFN=Microsoft.WindowsMaps_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsSoundRecorder | [Windows Voice Recorder](ms-windows-store://pdp/?PFN=Microsoft.WindowsSoundRecorder_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.WindowsStore | [Microsoft Store](ms-windows-store://pdp/?PFN=Microsoft.WindowsStore_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.Xbox.TCUI | [Xbox Live in-game experience](ms-windows-store://pdp/?PFN=Microsoft.Xbox.TCUI_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxApp | [Xbox Console Companion](ms-windows-store://pdp/?PFN=Microsoft.XboxApp_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGameOverlay | [Xbox Game Bar Plugin](ms-windows-store://pdp/?PFN=Microsoft.XboxGameOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxGamingOverlay | [Xbox Game Bar](ms-windows-store://pdp/?PFN=Microsoft.XboxGamingOverlay_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxIdentityProvider | [Xbox Identity Provider](ms-windows-store://pdp/?PFN=Microsoft.XboxIdentityProvider_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.XboxSpeechToTextOverlay | | x | x | x | x | x | No | +| Microsoft.YourPhone | [Your Phone](ms-windows-store://pdp/?PFN=Microsoft.YourPhone_8wekyb3d8bbwe) | | x | x | x | x | No | +| Microsoft.ZuneMusic | [Groove Music](ms-windows-store://pdp/?PFN=Microsoft.ZuneMusic_8wekyb3d8bbwe) | x | x | x | x | x | No | +| Microsoft.ZuneVideo | [Movies & TV](ms-windows-store://pdp/?PFN=Microsoft.ZuneVideo_8wekyb3d8bbwe) | x | x | x | x | x | No | >[!NOTE] >The Store app can't be removed. If you want to remove and reinstall the Store app, you can only bring Store back by either restoring your system from a backup or resetting your system. Instead of removing the Store app, you should use group policies to hide or disable it. diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md index bc6f44d66e..f25c37dce5 100644 --- a/windows/client-management/connect-to-remote-aadj-pc.md +++ b/windows/client-management/connect-to-remote-aadj-pc.md @@ -22,13 +22,10 @@ ms.topic: article - Windows 10 -From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). +From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](https://docs.microsoft.com/azure/active-directory/user-help/device-management-azuread-joined-devices-setup). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics). ![Remote Desktop Connection client](images/rdp.png) -> [!TIP] -> Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session.](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics) - ## Set up - Both PCs (local and remote) must be running Windows 10, version 1607 or later. Remote connections to an Azure AD-joined PC running earlier versions of Windows 10 are not supported. @@ -37,36 +34,39 @@ From its release, Windows 10 has supported remote connections to PCs joined to A Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-guard), a new feature in Windows 10, version 1607, is turned off on the client PC you are using to connect to the remote PC. - On the PC you want to connect to: + 1. Open system properties for the remote PC. + 2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**. - ![Allow remote connections to this computer](images/allow-rdp.png) + ![Allow remote connections to this computer](images/allow-rdp.png) - 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users to connect to the PC, you must allow remote connections for the local **Authenticated Users** group. Click **Select Users**. + 3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Click **Select Users -> Add** and enter the name of the user or group. - > [!NOTE] - > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: - > ```PowerShell - > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" - > ``` - > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. - > - > This command only works for AADJ device users already added to any of the local groups (administrators). - > Otherwise this command throws the below error. For example: - > - for cloud only user: "There is no such global user or group : *name*" - > - for synced user: "There is no such global user or group : *name*"
- > - > In Windows 10, version 1709, the user does not have to sign in to the remote device first. - > - > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + > [!NOTE] + > You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once, and then running the following PowerShell cmdlet: + > ```powershell + > net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user" + > ``` + > where *the-UPN-attribute-of-your-user* is the name of the user profile in C:\Users\, which is created based on the DisplayName attribute in Azure AD. + > + > This command only works for AADJ device users already added to any of the local groups (administrators). + > Otherwise this command throws the below error. For example: + > - for cloud only user: "There is no such global user or group : *name*" + > - for synced user: "There is no such global user or group : *name*"
+ + > [!NOTE] + > In Windows 10, version 1709, the user does not have to sign in to the remote device first. + > + > In Windows 10, version 1709, you can add other Azure AD users to the **Administrators** group on a device in **Settings** and restrict remote credentials to **Administrators**. If there is a problem connecting remotely, make sure that both devices are joined to Azure AD and that TPM is functioning properly on both devices. + + 4. Click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. - 4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC. + > [!TIP] + > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. - > [!TIP] - > When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant. - -> [!Note] -> If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). + > [!Note] + > If you cannot connect using Remote Desktop Connection 6.0, you must turn off the new features of RDP 6.0 and revert back to RDP 5.0 by making a few changes in the RDP file. See the details in the [support article](https://support.microsoft.com/help/941641/remote-desktop-connection-6-0-prompts-you-for-credentials-before-you-e). ## Supported configurations diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md index 201773d50c..adc08ab268 100644 --- a/windows/client-management/mdm/TOC.md +++ b/windows/client-management/mdm/TOC.md @@ -267,6 +267,7 @@ #### [LanmanWorkstation](policy-csp-lanmanworkstation.md) #### [Licensing](policy-csp-licensing.md) #### [LocalPoliciesSecurityOptions](policy-csp-localpoliciessecurityoptions.md) +#### [LocalUsersAndGroups](policy-csp-localusersandgroups.md) #### [LockDown](policy-csp-lockdown.md) #### [Maps](policy-csp-maps.md) #### [Messaging](policy-csp-messaging.md) @@ -307,6 +308,7 @@ #### [WindowsInkWorkspace](policy-csp-windowsinkworkspace.md) #### [WindowsLogon](policy-csp-windowslogon.md) #### [WindowsPowerShell](policy-csp-windowspowershell.md) +#### [WindowsSandbox](policy-csp-windowssandbox.md) #### [WirelessDisplay](policy-csp-wirelessdisplay.md) ### [PolicyManager CSP](policymanager-csp.md) ### [Provisioning CSP](provisioning-csp.md) diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md index 8e84d077d5..b511fd100f 100644 --- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md +++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md @@ -165,7 +165,10 @@ The following image illustrates how MDM applications will show up in the Azure a ### Add cloud-based MDM to the app gallery -You should work with the Azure AD engineering team if your MDM application is cloud-based. The following table shows the required information to create an entry in the Azure AD app gallery. +> [!NOTE] +> You should work with the Azure AD engineering team if your MDM application is cloud-based and needs to be enabled as a multi-tenant MDM application + +The following table shows the required information to create an entry in the Azure AD app gallery. diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index ad1f407c70..ec0aca468f 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -5575,6 +5575,29 @@ The following diagram shows the Policy configuration service provider in tree fo +### WindowsSandbox policies + +
+
+ WindowsSandbox/AllowAudioInput +
+
+ WindowsSandbox/AllowClipboardRedirection +
+
+ WindowsSandbox/AllowNetworking +
+
+ WindowsSandbox/AllowPrinterRedirection +
+
+ WindowsSandbox/AllowVGPU +
+
+ WindowsSandbox/AllowVideoInput +
+
+ ### WirelessDisplay policies
diff --git a/windows/client-management/mdm/policy-csp-localusersandgroups.md b/windows/client-management/mdm/policy-csp-localusersandgroups.md new file mode 100644 index 0000000000..a192f2c35f --- /dev/null +++ b/windows/client-management/mdm/policy-csp-localusersandgroups.md @@ -0,0 +1,232 @@ +--- +title: Policy CSP - LocalUsersAndGroups +description: Policy CSP - LocalUsersAndGroups +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/14/2020 +ms.reviewer: +manager: dansimp +--- + +# Policy CSP - LocalUsersAndGroups + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +
+ + +## LocalUsersAndGroups policies + +
+
+ LocalUsersAndGroups/Configure +
+
+ + +
+ + +**LocalUsersAndGroups/Configure** + + +
+ + + + + + + + + + + + + + + + + + + + + + + + +
Windows EditionSupported?
Homecross mark
Procheck mark9
Businesscheck mark9
Enterprisecheck mark9
Educationcheck mark9
+ + +
+ + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
+ + + +Available in Windows 10, version 2010. This policy setting allows IT admins to add, remove, or replace members of local groups on a managed device. + +> [!NOTE] +> The [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting also allows you to configure members (users or AAD groups) to a Windows 10 local group. However, it allows only for a full replace of the existing groups with the new members and does not allow selective add or remove. +> +> Starting from Windows 10, version 2010, it is recommended to use the LocalUsersandGroups policy instead of the RestrictedGroups policy. Applying both the policies to the same device is unsupported and may yield unpredictable results. + +Here's an example of the policy definition XML for group configuration: + +```xml + + + + + + + +``` + +where: + +- ``: Specifies the name or SID of the local group to configure. If you specify a SID, the [LookupAccountSid](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountsida) API is used to translate the SID to a valid group name. If you specify a name, the [LookupAccountName](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea) API is used to lookup the group and validate the name. If name/SID lookup fails, the group is skipped and the next group in the XML file is processed. If there are multiple errors, the last error is returned at the end of the policy processing. +- ``: Specifies the action to take on the local group, which can be Update and Restrict, represented by U and R: + - Update. This action must be used to keep the current group membership intact and add or remove members of the specific group. + - Restrict. This action must be used to replace current membership with the newly specified groups. This action provides the same functionality as the [RestrictedGroups/ConfigureGroupMembership](./policy-csp-restrictedgroups.md#restrictedgroups-configuregroupmembership) policy setting. +- ``: Specifies the SID or name of the member to configure. +- ``: Specifies the SID or name of the member to remove from the specified group. + + > [!NOTE] + > When specifying member names of domain accounts, use fully qualified account names where possible (for example, domain_name\user_name) instead of isolated names (for example, group_name). This way, you can avoid getting ambiguous results when users or groups with the same name exist in multiple domains and locally. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + +See [Use custom settings for Windows 10 devices in Intune](https://docs.microsoft.com/mem/intune/configuration/custom-settings-windows-10) for information on how to create custom profiles. + +> [!IMPORTANT] +> - `` and `` can use an Azure AD SID or the user's name. For adding or removing Azure AD groups using this policy, you must use the group's SID. Azure AD group SIDs can be obtained using [Graph](https://docs.microsoft.com/graph/api/resources/group?view=graph-rest-1.0#json-representation) API for Groups. The SID is present in the `securityIdentifier` attribute. +> - When specifying a SID in the `` or ``, member SIDs are added without attempting to resolve them. Therefore, be very careful when specifying a SID to ensure it is correct. +> - `` is not valid for the R (Restrict) action and will be ignored if present. +> - The list in the XML is processed in the given order except for the R actions, which get processed last to ensure they win. It also means that if a group is present multiple times with different add/remove values, all of them will be processed in the order they are present. + + + + + + +**Examples** + +Example 1: Update action for adding and removing group members. + +The following example shows how you can update a local group (**Backup Operators**)—add a domain group as a member using its name (**Contoso\ITAdmins**), add the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids), add a AAD group by its SID (**S-1-12-1-111111111-22222222222-3333333333-4444444444**), and remove a local account (**Guest**). + +```xml + + + + + + + + + +``` + +Example 2: Restrict action for replacing the group membership. + +The following example shows how you can restrict a local group (**Backup Operators**)—replace its membership with the built-in Administrators group using its [well known SID](https://docs.microsoft.com/windows/win32/secauthz/well-known-sids) and add a local account (**Guest**). + +```xml + + + + + + + +``` + + + + + +
+ +## FAQs + +This section provides answers to some common questions you might have about the LocalUsersAndGroups policy CSP. + +### What happens if I accidentally remove the built-in Administrator SID from the Administrators group? + +Removing the built-in Administrator account from the built-in Administrators group is blocked at SAM/OS level for security reasons. Attempting to do so will result in failure with the following error: + +| Error Code | Symbolic Name | Error Description | Header | +|----------|----------|----------|----------| +| 0x55b (Hex)
1371 (Dec) |ERROR_SPECIAL_ACCOUNT|Cannot perform this operation on built-in accounts.| winerror.h | + +When configuring the built-in Administrators group with the R (Restrict) action, specify the built-in Administrator account SID/Name in `` to avoid this error. + +### Can I add a member that already exists? + +Yes, you can add a member that is already a member of a group. This will result in no changes to the group and no error. + +### Can I remove a member if it isn't a member of the group? + +Yes, you can remove a member even if it isn't a member of the group. This will result in no changes to the group and no error. + +### How can I add a domain group as a member to a local group? + +To add a domain group as a member to a local group, specify the domain group in `` of the local group. Use fully qualified account names (for example, domain_name\group_name) instead of isolated names (for example, group_name) for the best results. See [LookupAccountNameA function](https://docs.microsoft.com/windows/win32/api/winbase/nf-winbase-lookupaccountnamea#remarks) for more information. + +### Can I apply more than one LocalUserAndGroups policy/XML to the same device? + +No, this is not allowed. Attempting to do so will result in a conflict in Intune. + +### What happens if I specify a group name that doesn't exist? + +Invalid group names or SIDs will be skipped. Valid parts of the policy will apply, and error will be returned at the end of the processing. This behavior aligns with the on-prem AD GPP (Group Policy Preferences) LocalUsersAndGroups policy. Similarly, invalid member names will be skipped, and error will be returned at the end to notify that not all settings were applied successfully. + +### What happens if I specify R and U in the same XML? + +If you specify both R and U in the same XML, the R (Restrict) action takes precedence over U (Update). Therefore, if a group appears twice in the XML, once with U and again with R, the R action wins. + +### How do I check the result of a policy that is applied on the client device? + +After a policy is applied on the client device, you can investigate the event log to review the result: + +1. Open Event Viewer (**eventvwr.exe**). +2. Navigate to **Applications and Services Logs** > **Microsoft** > **Windows** > **DeviceManagement-Enterprise- +Diagnostics-Provider** > **Admin**. +3. Search for the `LocalUsersAndGroups` string to review the relevant details. + +### How can I troubleshoot Name/SID lookup APIs? + +To troubleshoot Name/SID lookup APIs: + +1. Enable **lsp.log** on the client device by running the following commands: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x800 -Type dword -Force + + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgTraceOptions -Value 0x1 -Type dword -Force + ``` + + The **lsp.log** file (**C:\windows\debug\lsp.log**) will be displayed. This log file tracks the SID-Name resolution. + +2. Turn the logging off by running the following command: + + ```cmd + Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa" -Name LspDbgInfoLevel -Value 0x0 -Type dword -Force + ``` + + +Footnotes: + +- 9 - Available in Windows 10, version 2010. + + diff --git a/windows/client-management/mdm/policy-csp-restrictedgroups.md b/windows/client-management/mdm/policy-csp-restrictedgroups.md index 67cb225555..b840169332 100644 --- a/windows/client-management/mdm/policy-csp-restrictedgroups.md +++ b/windows/client-management/mdm/policy-csp-restrictedgroups.md @@ -14,6 +14,9 @@ manager: dansimp # Policy CSP - RestrictedGroups +> [!IMPORTANT] +> Starting from Windows 10, version 2010, it is recommended to use the [LocalUsersandGroups](policy-csp-localusersandgroups.md) policy instead of the RestrictedGroups policy to configure members (users or AAD groups) to a Windows 10 local group. Applying both the policies to the same device is unsupported and may yield unpredictable results. +
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md index 05c983440b..6012a60ed9 100644 --- a/windows/client-management/mdm/policy-csp-system.md +++ b/windows/client-management/mdm/policy-csp-system.md @@ -1,13 +1,13 @@ --- title: Policy CSP - System -description: Learn policy settings that determines whether users can access the Insider build controls in the advanced options for Windows Update. +description: Learn policy settings that determine whether users can access the Insider build controls in the advanced options for Windows Update. ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman ms.localizationpriority: medium -ms.date: 08/12/2020 +ms.date: 10/14/2020 ms.reviewer: manager: dansimp --- @@ -212,14 +212,13 @@ The following list shows the supported values: -This policy setting controls whether Microsoft is a processor or controller for Windows diagnostic data collected from devices. +This policy setting opts the device into the Windows enterprise data pipeline. -If you enable this policy and enroll your devices in your Azure AD tenant, your organization becomes the controller and Microsoft is the processor of this data. +If you enable this setting, data collected from the device will be opted into the Windows enterprise data pipeline. -If you disable or don't configure this policy setting, Microsoft will be the controller for Windows diagnostic data collected from the device. +If you disable or don't configure this setting, all data from the device will be collected and processed in accordance with our policies for the Windows standard data pipeline. ->[!Note] -> This policy setting only controls if Microsoft is a processor for Windows diagnostic data from this device. Use the [System/AllowTelemetry](#system-allowtelemetry) policy setting to limit the diagnostic data that can be collected from the device. +Configuring this setting does not change the telemetry collection level or the ability of the user to change the level. This setting only applies to the Windows operating system and apps included with Windows, not third-party apps or services running on Windows 10. @@ -234,8 +233,8 @@ ADMX Info: The following list shows the supported values: -- 0 (default) - Do not use the Windows Commercial Data Pipeline -- 1 - Use the Windows Commercial Data Pipeline +- 0 (default) - Disabled. +- 1 - Enabled. @@ -245,7 +244,9 @@ The following list shows the supported values: +
+ **System/AllowDeviceNameInDiagnosticData** @@ -488,7 +489,7 @@ The following list shows the supported values: -Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally-installed fonts. +Added in Windows 10, version 1703. Boolean policy setting that determines whether Windows is allowed to download fonts and font catalog data from an online font provider. If you enable this setting, Windows periodically queries an online font provider to determine whether a new font catalog is available. Windows may also download font data if needed to format or render text. If you disable this policy setting, Windows does not connect to an online font provider and only enumerates locally installed fonts. This MDM setting corresponds to the EnableFontProviders Group Policy setting. If both the Group Policy and the MDM settings are configured, the group policy setting takes precedence. If neither is configured, the behavior depends on a DisableFontProviders registry value. In server editions, this registry value is set to 1 by default, so the default behavior is false (disabled). In all other editions, the registry value is not set by default, so the default behavior is true (enabled). @@ -509,7 +510,7 @@ ADMX Info: The following list shows the supported values: -- 0 - false - No traffic to fs.microsoft.com and only locally-installed fonts are available. +- 0 - false - No traffic to fs.microsoft.com and only locally installed fonts are available. - 1 - true (default) - There may be network traffic to fs.microsoft.com and downloadable fonts are available to apps that support them. @@ -1605,7 +1606,7 @@ The following list shows the supported values: This policy setting, in combination with the System/AllowTelemetry policy setting, enables organizations to send Microsoft a specific set of diagnostic data for IT insights via Windows Analytics services. -To enable this behavior you must complete two steps: +To enable this behavior, you must complete two steps:
  • Enable this policy setting
  • Set Allow Telemetry to level 2 (Enhanced)
    • diff --git a/windows/client-management/mdm/policy-csp-windowssandbox.md b/windows/client-management/mdm/policy-csp-windowssandbox.md new file mode 100644 index 0000000000..a00be7e6d7 --- /dev/null +++ b/windows/client-management/mdm/policy-csp-windowssandbox.md @@ -0,0 +1,561 @@ +--- +title: Policy CSP - WindowsSandbox +description: Policy CSP - WindowsSandbox +ms.author: dansimp +ms.topic: article +ms.prod: w10 +ms.technology: windows +author: manikadhiman +ms.localizationpriority: medium +ms.date: 10/14/2020 +--- + +# Policy CSP - WindowsSandbox + +> [!WARNING] +> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + + +
    + + +## WindowsSandbox policies + +
    +
    + WindowsSandbox/AllowAudioInput +
    +
    + WindowsSandbox/AllowClipboardRedirection +
    +
    + WindowsSandbox/AllowNetworking +
    +
    + WindowsSandbox/AllowPrinterRedirection +
    +
    + WindowsSandbox/AllowVGPU +
    +
    + WindowsSandbox/AllowVideoInput +
    +
    + + +
    + + +**WindowsSandbox/AllowAudioInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable audio input to the Sandbox. + +> [!NOTE] +> There may be security implications of exposing host audio input to the container. + +If this policy is not configured, end-users get the default behavior (audio input enabled). + +If audio input is disabled, a user will not be able to enable audio input from their own configuration file. + +If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow audio input in Windows Sandbox* +- GP name: *AllowAudioInput* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + + +**WindowsSandbox/AllowClipboardRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox. + +If this policy is not configured, end-users get the default behavior (clipboard redirection enabled. + +If clipboard sharing is disabled, a user will not be able to enable clipboard sharing from their own configuration file. + +If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow clipboard sharing with Windows Sandbox* +- GP name: *AllowClipboardRedirection* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + + +
    + + +**WindowsSandbox/AllowNetworking** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network. + +If this policy is not configured, end-users get the default behavior (networking enabled). + +If networking is disabled, a user will not be able to enable networking from their own configuration file. + +If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow networking in Windows Sandbox* +- GP name: *AllowNetworking* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowPrinterRedirection** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox. + +If this policy is not configured, end-users get the default behavior (printer sharing disabled). + +If printer sharing is disabled, a user will not be able to enable printer sharing from their own configuration file. + +If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow printer sharing with Windows Sandbox* +- GP name: *AllowPrinterRedirection* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 - Disabled +- 1 (default) - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowVGPU** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox. + +> [!NOTE] +> Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox. + +If this policy is not configured, end-users get the default behavior (vGPU is disabled). + +If vGPU is disabled, a user will not be able to enable vGPU support from their own configuration file. + +If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: + +- GP English Name: *Allow vGPU sharing for Windows Sandbox* +- GP name: *AllowVGPU* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + + + + + + + + +
    + + +**WindowsSandbox/AllowVideoInput** + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Windows EditionSupported?
    Homecross mark
    Procheck mark9
    Businesscross mark
    Enterprisecheck mark9
    Educationcheck mark9
    + + +
    + + +[Scope](./policy-configuration-service-provider.md#policy-scope): + +> [!div class = "checklist"] +> * Device + +
    + + + +This policy setting allows the IT admin to enable or disable video input to the Sandbox. + +> [!NOTE] +> There may be security implications of exposing host video input to the container. + +If this policy is not configured, users get the default behavior (video input disabled). + +If video input is disabled, users will not be able to enable video input from their own configuration file. + +If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure. + +> [!NOTE] +> You must restart Windows Sandbox for any changes to this policy setting to take effect. + + + +ADMX Info: +- GP English Name: *Allow video input in Windows Sandbox* +- GP name: *AllowVideoInput* +- GP path: *Windows Components/Windows Sandbox* +- GP ADMX file name: *WindowsSandbox.admx* + + + +The following are the supported values: + +- 0 (default) - Disabled +- 1 - Enabled + + + + + + + + + + +
    + +Footnotes: + +- 1 - Available in Windows 10, version 1607. +- 2 - Available in Windows 10, version 1703. +- 3 - Available in Windows 10, version 1709. +- 4 - Available in Windows 10, version 1803. +- 5 - Available in Windows 10, version 1809. +- 6 - Available in Windows 10, version 1903. +- 7 - Available in Windows 10, version 1909. +- 8 - Available in Windows 10, version 2004. +- 9 - Available in Windows 10, version 2010. + + diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index fcb23c170c..330dddba01 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -161,7 +161,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format ErrorContext value -Stage where error occured +Stage where error occurred Description and suggestions @@ -239,7 +239,7 @@ The following diagram shows the SurfaceHub CSP management objects in tree format

    The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -

    Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). +

    Background image for the welcome screen. To set this, specify a https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image.

    The data type is string. Supported operation is Get and Replace. diff --git a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md index 7b104bdcb0..90ab13ce23 100644 --- a/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md +++ b/windows/privacy/windows-endpoints-1909-non-enterprise-editions.md @@ -96,6 +96,7 @@ The following methodology was used to derive the network endpoints: |activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows |adl.windows.com|HTTP|Used for compatibility database updates for Windows |spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile +|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices. ## Windows 10 Pro @@ -161,6 +162,7 @@ The following methodology was used to derive the network endpoints: |activity.windows.com|TLSV1.2|Used by Activity Feed Service which enables multiple cross-device data roaming scenarios on Windows |adl.windows.com|HTTP|Used for compatibility database updates for Windows |spclient.wg.spotify.com|TLSV1.2|Used for Spotify Live Tile +|cs.dds.microsoft.com|TLSV1.2|Used by Device Directory Service to keep track of user-device associations and storing metadata about the devices. ## Windows 10 Education diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index e6d36e6967..b5dfff553e 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -75,6 +75,7 @@ Communicating with Azure Active Directory uses the following URLs: - enterpriseregistration.windows.net - login.microsoftonline.com - login.windows.net +- account.live.com If your environment uses Microsoft Intune, you need these additional URLs: - enrollment.manage.microsoft.com diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md index f3735bbd48..7f89a245b5 100644 --- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md +++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md @@ -593,7 +593,7 @@ After you've decided where your protected apps can access enterprise data on you **Use Azure RMS for WIP.** Determines whether WIP uses [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management) to apply EFS encryption to files that are copied from Windows 10 to USB or other removable drives so they can be securely shared amongst employees. In other words, WIP uses Azure Rights Management "machinery" to apply EFS encryption to files when they are copied to removable drives. You must already have Azure Rights Management set up. The EFS file encryption key is protected by the RMS template’s license. Only users with permission to that template will be able to read it from the removable drive. WIP can also integrate with Azure RMS by using the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings in the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp). -- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. Curly braces {} are required around the RMS Template ID, but they are removed after you save the policy. +- **On.** Protects files that are copied to a removable drive. You can enter a TemplateID GUID to specify who can access the Azure Rights Management protected files, and for how long. The RMS template is only applied to the files on removable media, and is only used for access control—it doesn’t actually apply Azure Information Protection to the files. If you don’t specify an [RMS template](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates), it’s a regular EFS file using a default RMS template that all users can access. diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md index a099742145..ebe3c59220 100644 --- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md +++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md @@ -73,6 +73,8 @@ Microsoft has made a concerted effort to enlighten several of our more popular a - Microsoft Remote Desktop +- Microsoft To Do + > [!NOTE] > Microsoft Visio, Microsoft Office Access, Microsoft Project, and Microsoft Publisher are not enlightened apps and need to be exempted from WIP policy. If they are allowed, there is a risk of data loss. For example, if a device is workplace-joined and managed and the user leaves the company, metadata files that the apps rely on remain encrypted and the apps stop functioning. @@ -113,6 +115,7 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li | Microsoft Paint | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mspaint.exe
    **App Type:** Desktop app | | Microsoft Remote Desktop | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** mstsc.exe
    **App Type:** Desktop app | | Microsoft MAPI Repair Tool | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Binary Name:** fixmapi.exe
    **App Type:** Desktop app | +| Microsoft To Do | **Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
    **Product Name:** Microsoft.Todos
    **App Type:** Store app | >[!NOTE] >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md). diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md index 1ce7884399..2893cf7ece 100644 --- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md +++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md @@ -42,7 +42,7 @@ Configuring policy settings in this category can help you document attempts to a - [Audit Credential Validation](audit-credential-validation.md) - [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md) - [Audit Kerberos Service Ticket Operations](audit-kerberos-service-ticket-operations.md) -- [Audit Other Logon/Logoff Events](audit-other-logonlogoff-events.md) +- [Audit Other Account Logon Events](audit-other-account-logon-events.md) ## Account Management @@ -150,8 +150,8 @@ Auditors will be able to prove that every resource in the system is protected by Resource SACLs are also useful for diagnostic scenarios. For example, setting the Global Object Access Auditing policy to log all the activity for a specific user and enabling the policy to track "Access denied" events for the file system or registry can help administrators quickly identify which object in a system is denying a user access. -> **Note:**  If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object -Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. +> [!NOTE] +> If a file or folder SACL and a Global Object Access Auditing policy setting (or a single registry setting SACL and a Global Object Access Auditing policy setting) are configured on a computer, the effective SACL is derived from combining the file or folder SACL and the Global Object Access Auditing policy. This means that an audit event is generated if an activity matches the file or folder SACL or the Global Object Access Auditing policy. This category includes the following subcategories: - [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md) diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 84cf52d450..220876b84a 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -166,7 +166,7 @@ This event generates on domain controllers, member servers, and workstations. | 0xC0000064 | User logon with misspelled or bad user account | | 0xC000006A | User logon with misspelled or bad password | | 0XC000006D | This is either due to a bad username or authentication information | - | 0XC000006E | Unknown user name or bad password. | + | 0XC000006E | Indicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions). | | 0xC000006F | User logon outside authorized hours | | 0xC0000070 | User logon from unauthorized workstation | | 0xC0000071 | User logon with expired password | @@ -284,7 +284,7 @@ For 4625(F): An account failed to log on. - Monitor for all events with the fields and values in the following table: - | **Field** | Value to monitor for | + | Field | Value to monitor for | |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | **Failure Information\\Status** or
    **Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
    This is typically not a security issue but it can be an infrastructure or availability issue. | | **Failure Information\\Status** or
    **Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
    Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png new file mode 100644 index 0000000000..e4b306fd92 Binary files /dev/null and b/windows/security/threat-protection/microsoft-defender-antivirus/images/win-security- exp-policy-endpt-security.png differ diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md index c49d6a763f..6cc3ece08f 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md @@ -1,6 +1,6 @@ --- title: Protect security settings with tamper protection -ms.reviewer: shwjha +ms.reviewer: shwjha, hayhov manager: dansimp description: Use tamper protection to prevent malicious apps from changing important security settings. keywords: malware, defender, antivirus, tamper protection @@ -14,7 +14,7 @@ audience: ITPro author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 10/08/2020 +ms.date: 10/14/2020 --- # Protect security settings with tamper protection @@ -136,22 +136,24 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions). -2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**. +2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.
    -3. Configure tamper protection as part of the new policy. + - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**. + + - In the **Profile** list, select **Windows Security experience (preview)**.
    + + The following screenshot illustrates how to create your policy: -4. Deploy the policy to your device collection. + :::image type="content" source="images/win-security- exp-policy-endpt-security.png" alt-text="Windows security experience in Endpoint Manager"::: + +3. Deploy the policy to your device collection. Need help? See the following resources: -- [Antivirus policy for endpoint security in Intune](https://docs.microsoft.com/mem/intune/protect/endpoint-security-antivirus-policy) - - [Settings for the Windows Security experience profile in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/antivirus-security-experience-windows-settings) - [Tech Community Blog: Announcing Tamper Protection for Configuration Manager Tenant Attach clients](https://techcommunity.microsoft.com/t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246#.X3QLR5Ziqq8.linkedin) -- [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy) - ## View information about tampering attempts @@ -161,7 +163,7 @@ When a tampering attempt is detected, an alert is raised in the [Microsoft Defen ![Microsoft Defender Security Center](images/tamperattemptalert.png) -Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender ATP, your security operations team can investigate and address such attempts. +Using [endpoint detection and response](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response) and [advanced hunting](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview) capabilities in Microsoft Defender for Endpoint, your security operations team can investigate and address such attempts. ## Review your security recommendations @@ -179,7 +181,7 @@ To learn more about Threat & Vulnerability Management, see [Threat & Vulnerabili ### To which Windows OS versions is configuring tamper protection is applicable? -Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Windows 10 OS [1709](https://docs.microsoft.com/windows/release-information/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-information/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-information/status-windows-10-1809-and-windows-server-2019), or later together with [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). If you are using Configuration Manager, version 2006 with tenant attach, tamper protection can be extended to Windows Server 2019. See [Tenant attach: Create and deploy endpoint security Antivirus policy from the admin center (preview)](https://docs.microsoft.com/mem/configmgr/tenant-attach/deploy-antivirus-policy). @@ -189,13 +191,13 @@ No. Third-party antivirus offerings will continue to register with the Windows S ### What happens if Microsoft Defender Antivirus is not active on a device? -Tamper protection will not have any impact on such devices. +Devices that are onboarded to Microsoft Defender for Endpoint will have Microsoft Defender Antivirus running in passive mode. Tamper protection will continue to protect the service and its features. ### How can I turn tamper protection on/off? If you are a home user, see [Turn tamper protection on (or off) for an individual machine](#turn-tamper-protection-on-or-off-for-an-individual-machine). -If you are an organization using [Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: +If you are an organization using [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp), you should be able to manage tamper protection in Intune similar to how you manage other endpoint protection features. See the following sections of this article: - [Turn tamper protection on (or off) for your organization using Intune](#turn-tamper-protection-on-or-off-for-your-organization-using-intune) @@ -216,9 +218,9 @@ Some sample Microsoft Defender Antivirus settings: Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Antivirus\Real-time Protection\\
    Value `DisableRealtimeMonitoring` = 0 -### For Microsoft Defender ATP E5, is configuring tamper protection in Intune targeted to the entire organization only? +### For Microsoft Defender for Endpoint, is configuring tamper protection in Intune targeted to the entire organization only? -Configuring tamper protection in Intune can be targeted to your entire organization as well as to specific devices and user groups. +Configuring tamper protection in Intune or Microsoft Endpoint Manager can be targeted to your entire organization as well as to specific devices and user groups. ### Can I configure Tamper Protection in Microsoft Endpoint Configuration Manager? @@ -226,9 +228,9 @@ If you are using tenant attach, you can use Microsoft Endpoint Configuration Man ### I have the Windows E3 enrollment. Can I use configuring tamper protection in Intune? -Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender Advanced Threat Protection E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). +Currently, configuring tamper protection in Intune is only available for customers who have [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp). -### What happens if I try to change Microsoft Defender ATP settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? +### What happens if I try to change Microsoft Defender for Endpoint settings in Intune, Microsoft Endpoint Configuration Manager, and Windows Management Instrumentation when Tamper Protection is enabled on a device? You won’t be able to change the features that are protected by tamper protection; such change requests are ignored. @@ -236,9 +238,9 @@ You won’t be able to change the features that are protected by tamper protecti No. Local admins cannot change or modify tamper protection settings. -### What happens if my device is onboarded with Microsoft Defender ATP and then goes into an off-boarded state? +### What happens if my device is onboarded with Microsoft Defender for Endpoint and then goes into an off-boarded state? -In this case, tamper protection status changes, and this feature is no longer applied. +If a device is off-boarded from Microsoft Defender for Endpoint, tamper protection is turned on, which is the default state for unmanaged devices. ### Will there be an alert about tamper protection status changing in the Microsoft Defender Security Center? @@ -254,6 +256,6 @@ In addition, your security operations team can use hunting queries, such as the [Help secure Windows PCs with Endpoint Protection for Microsoft Intune](https://docs.microsoft.com/intune/help-secure-windows-pcs-with-endpoint-protection-for-microsoft-intune) -[Get an overview of Microsoft Defender ATP E5](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) +[Get an overview of Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) -[Better together: Microsoft Defender Antivirus and Microsoft Defender Advanced Threat Protection](why-use-microsoft-defender-antivirus.md) +[Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint](why-use-microsoft-defender-antivirus.md) diff --git a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md index 19a2f46e0c..b8454c4935 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md +++ b/windows/security/threat-protection/microsoft-defender-atp/api-portal-mapping.md @@ -72,6 +72,8 @@ Field numbers match the numbers in the images below. > | | LogOnUsers | sourceUserId | contoso\liz-bean; contoso\jay-hardee | The domain and user of the interactive logon user/s at the time of the event. Note: For devices on Windows 10 version 1607, the domain information will not be available. | > | | InternalIPv4List | No mapping | 192.168.1.7, 10.1.14.1 | List of IPV4 internal IPs for active network interfaces. | > | | InternalIPv6List | No mapping | fd30:0000:0000:0001:ff4e:003e:0009:000e, FE80:CD00:0000:0CDE:1257:0000:211E:729C | List of IPV6 internal IPs for active network interfaces. | +| | LinkToMTP | flexString1 | `https://security.microsoft.com/alert/da637370718981685665_16349121` | Value available for every Detection. +| | IncidentLinkToMTP | flexString1 | `"https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM` | Value available for every Detection. > | Internal field | LastProcessedTimeUtc | No mapping | 2017-05-07T01:56:58.9936648Z | Time when event arrived at the backend. This field can be used when setting the request parameter for the range of time that detections are retrieved. | > | | Not part of the schema | deviceVendor | | Static value in the ArcSight mapping - 'Microsoft'. | > | | Not part of the schema | deviceProduct | | Static value in the ArcSight mapping - 'Microsoft Defender ATP'. | diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md deleted file mode 100644 index 04c810e52c..0000000000 --- a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy-statement.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: Microsoft Defender ATP for iOS note on Privacy -ms.reviewer: -description: Describes the Microsoft Defender ATP for iOS Privacy -keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, -search.product: eADQiWindows 10XVcnh -search.appverid: met150 -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -ms.author: sunasing -author: sunasing -ms.localizationpriority: medium -manager: dansimp -audience: ITPro -ms.collection: -- m365-security-compliance -- m365initiative-defender-endpoint -ms.topic: conceptual -hideEdit: true ---- - -# Microsoft Defender ATP for iOS note on Privacy - -[!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)] - - -## What information can my organization see when I use Microsoft Defender ATP on iOS - -Your organization cannot see your personal information when you use Microsoft Defender ATP. Microsoft Defender ATP sends certain pieces of information from your device to the ATP portal, such as device threat level, device model, and serial number. Your organization uses this information to help protect you from web-based attacks. - -**What your organization can never see:** - -- Calling and web browsing history -- Email and text messages -- Contacts -- Calendar -- Passwords -- Pictures, including what's in the photos app or camera roll -- Files - -**What your organization can see:** - -- Malicious Connections that were blocked by Microsoft Defender ATP -- Device model, like iPhone 11 -- Operating system and version, like iOS 12.0.1 -- Device name -- Device serial number - -## VPN Usage - -Microsoft Defender ATP for iOS uses VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. - -## More on Privacy - -[More information about Privacy](https://aka.ms/mdatpiosmainprivacystatement) - - - diff --git a/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md new file mode 100644 index 0000000000..1bef25da5f --- /dev/null +++ b/windows/security/threat-protection/microsoft-defender-atp/ios-privacy.md @@ -0,0 +1,78 @@ +--- +title: Microsoft Defender ATP for iOS note on Privacy +ms.reviewer: +description: Describes the Microsoft Defender ATP for iOS Privacy +keywords: microsoft, defender, atp, iOS, license, terms, application, use, installation, service, feedback, scope, +search.product: eADQiWindows 10XVcnh +search.appverid: met150 +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: sunasing +author: sunasing +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: conceptual +hideEdit: true +--- + +# Microsoft Defender ATP for iOS - Privacy information + +**Applies to:** + +- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) for iOS](microsoft-defender-atp-ios.md) + +>[!NOTE] +> Microsoft Defender ATP for iOS uses a VPN in order to provide the Web Protection feature. This is not a regular VPN and is a local/self-looping VPN that does not take traffic outside the device. Microsoft or your organization **does not see your browsing activity**. + +Microsoft Defender ATP for iOS collects information from your configured iOS devices and stores it in the same tenant where you have Microsoft Defender ATP. + +Information is collected to help keep Microsoft Defender ATP for iOS secure, up-to-date, performing as expected and to support the service. + +## Required data + +Required data consists of data that is necessary to make Microsoft Defender ATP for iOS work as expected. This data is essential to the operation of the service and can include data related to the end user, organization, device, and apps. Here's a list of the types of data being collected: + +### Web page / Network information + +- Connection information +- Protocol type (such as HTTP, HTTPS, etc.) + +### Device and account information + +- Device information such as date & time, iOS version, CPU info, and Device identifier +- Device identifier is one of the below: + - Wi-Fi adapter MAC address + - Randomly generated globally unique identifier (GUID) + +- Tenant, Device, and User information + - Azure Active Directory (AD) Device ID and Azure User ID: Uniquely identifies the device, User respectively at Azure Active directory. + - Azure tenant ID - GUID that identifies your organization within Azure Active Directory + - Microsoft Defender ATP org ID - Unique identifier associated with the enterprise that the device belongs to. Allows Microsoft to identify whether issues are impacting a select set of enterprises and how many enterprises are impacted + - User Principal Name - Email ID of the user + +### Product and service usage data + +- App package info, including name, version, and app upgrade status +- Actions performed in the app +- Crash report logs generated by iOS +- Memory usage data + +## Optional data + +Optional data includes diagnostic data and feedback data from the client. Optional diagnostic data is additional data that helps us make product improvements and provides enhanced information to help us detect, diagnose, and fix issues. This data is only for diagnostic purposes and is not required for the service itself. + +Optional diagnostic data includes: + +- App, CPU, and network usage +- Features configured by the admin + +**Feedback Data** is collected through in-app feedback provided by the user. + +- The user's email address, if they choose to provide it +- Feedback type (smile, frown, idea) and any feedback comments submitted by the user + +[More on Privacy](https://aka.ms/mdatpiosprivacystatement) \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md index 91a5ea6044..a1fd86434f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-install-with-intune.md @@ -197,7 +197,7 @@ To approve the system extensions: 9. As part of the Endpoint Detection and Response capabilities, Microsoft Defender ATP for Mac inspects socket traffic and reports this information to the Microsoft Defender Security Center portal. The following policy allows the network extension to perform this functionality. Download `netfilter.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/netfilter.mobileconfig), save it as netext.xml and deploy it using the same steps as in the previous sections. -10. To allow Defender and Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. +10. To allow Microsoft Defender ATP for Mac and Microsoft Auto Update to display notifications in UI on macOS 10.15 (Catalina), download `notif.mobileconfig` from [our GitHub repository](https://raw.githubusercontent.com/microsoft/mdatp-xplat/master/macos/mobileconfig/profiles/notif.mobileconfig) and import it as a custom payload. 11. Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 21653f6dc7..83030035f2 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -46,6 +46,9 @@ If you can reproduce a problem, increase the logging level, run the system for s 3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. + > [!TIP] + > By default, diagnostic logs are saved to `/Library/Application Support/Microsoft/Defender/wdavdiag/`. To change the directory where diagnostic logs are saved, pass `--path [directory]` to the below command, replacing `[directory]` with the desired directory. + ```bash sudo mdatp diagnostic create ``` @@ -99,7 +102,7 @@ Important tasks, such as controlling product settings and triggering on-demand s |Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` | |Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` | |Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create --path [directory]` | |Health |Check the product's health |`mdatp health` | |Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` | |Protection |Scan a path |`mdatp scan custom --path [path]` | diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md index 461973a0a9..f53075c405 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-sysext-policies.md @@ -64,7 +64,7 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender >JAMF doesn’t have built-in support for content filtering policies, which are a pre-requisite for enabling the network extensions that Microsoft Defender ATP for Mac installs on the device. Furthermore, JAMF sometimes changes the content of the policies being deployed. >As such, the following steps provide a workaround that involve signing the configuration profile. -1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` +1. Save the following content to your device as `com.microsoft.network-extension.mobileconfig` using a text editor: ```xml @@ -127,21 +127,38 @@ As part of the Endpoint Detection and Response capabilities, Microsoft Defender ``` -2. Verify that the above file was copied correctly. From the Terminal, run the following command and verify that it outputs `OK`: +2. Verify that the above file was copied correctly by running the `plutil` utility in the Terminal: ```bash - $ plutil -lint com.microsoft.network-extension.mobileconfig - com.microsoft.network-extension.mobileconfig: OK + $ plutil -lint /com.microsoft.network-extension.mobileconfig ``` -3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority - -4. After the certificate is created and installed to your device, run the following command from the Terminal: + For example, if the file was stored in Documents: ```bash - $ security cms -S -N "" -i com.microsoft.network-extension.mobileconfig -o com.microsoft.network-extension.signed.mobileconfig + $ plutil -lint ~/Documents/com.microsoft.network-extension.mobileconfig ``` + + Verify that the command outputs `OK`. + + ```bash + /com.microsoft.network-extension.mobileconfig: OK + ``` + +3. Follow the instructions on [this page](https://www.jamf.com/jamf-nation/articles/649/creating-a-signing-certificate-using-jamf-pro-s-built-in-certificate-authority) to create a signing certificate using JAMF’s built-in certificate authority. +4. After the certificate is created and installed to your device, run the following command from the Terminal to sign the file: + + ```bash + $ security cms -S -N "" -i /com.apple.webcontent-filter.mobileconfig -o /com.microsoft.network-extension.signed.mobileconfig + ``` + + For example, if the certificate name is **SigningCertificate** and the signed file is going to be stored in Documents: + + ```bash + $ security cms -S -N "SigningCertificate" -i ~/Documents/com.apple.webcontent-filter.mobileconfig -o ~/Documents/com.microsoft.network-extension.signed.mobileconfig + ``` + 5. From the JAMF portal, navigate to **Configuration Profiles** and click the **Upload** button. Select `com.microsoft.network-extension.signed.mobileconfig` when prompted for the file. ## Intune diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md index 43115e4395..ca4617cc28 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-whatsnew.md @@ -43,6 +43,17 @@ ms.topic: conceptual > 2. Refer to this documentation for detailed configuration information and instructions: [New configuration profiles for macOS Catalina and newer versions of macOS](mac-sysext-policies.md). > 3. Monitor this page for an announcement of the actual release of MDATP for Mac agent update. +## 101.09.50 + +- This product version has been validated on macOS Big Sur 11 beta 9 +- The new syntax for the `mdatp` command-line tool is now the default one. For more information on the new syntax, see [Resources for Microsoft Defender ATP for Mac](mac-resources.md#configuring-from-the-command-line) + + > [!NOTE] + > The old command-line tool syntax will be removed from the product on **January 1st, 2021**. + +- Extended `mdatp diagnostic create` with a new parameter (`--path [directory]`) that allows the diagnostic logs to be saved to a different directory +- Performance improvements & bug fixes + ## 101.09.49 - User interface improvements to differentiate exclusions that are managed by the IT administrator versus exclusions defined by the local user diff --git a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md index 38400901cd..078b9f44ba 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/pull-alerts-using-rest-api.md @@ -71,7 +71,7 @@ You'll use the access token to access the protected resource, which are detectio To get an access token, you'll need to do a POST request to the token issuing endpoint. Here is a sample request: -```syntax +```http POST /72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/token HTTP/1.1 Host: login.microsoftonline.com @@ -124,14 +124,14 @@ CloudCreatedMachineTags | string | Device tags that were created in Microsoft De ### Request example The following example demonstrates how to retrieve all the detections in your organization. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts Authorization: Bearer ``` The following example demonstrates a request to get the last 20 detections since 2016-09-12 00:00:00. -```syntax +```http GET https://wdatp-alertexporter-eu.windows.com/api/alerts?limit=20&sinceTimeUtc=2016-09-12T00:00:00.000 Authorization: Bearer ``` @@ -142,39 +142,60 @@ The return value is an array of alert objects in JSON format. Here is an example return value: ```json -{"AlertTime":"2017-01-23T07:32:54.1861171Z", -"ComputerDnsName":"desktop-bvccckk", -"AlertTitle":"Suspicious PowerShell commandline", -"Category":"SuspiciousActivity", -"Severity":"Medium", -"AlertId":"636207535742330111_-1114309685", -"Actor":null, -"LinkToWDATP":"https://securitycenter.windows.com/alert/636207535742330111_-1114309685", -"IocName":null, -"IocValue":null, -"CreatorIocName":null, -"CreatorIocValue":null, -"Sha1":"69484ca722b4285a234896a2e31707cbedc59ef9", -"FileName":"powershell.exe", -"FilePath":"C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", -"IpAddress":null, -"Url":null, -"IoaDefinitiondId":"7f1c3609-a3ff-40e2-995b-c01770161d68", -"UserName":null, -"AlertPart":0, -"FullId":"636207535742330111_-1114309685:9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF", -"LastProcessedTimeUtc":"2017-01-23T11:33:45.0760449Z", -"ThreatCategory":null, -"ThreatFamily":null, -"ThreatName":null, -"RemediationAction":null, -"RemediationIsSuccess":null, -"Source":"Microsoft Defender ATP", -"Md5":null, -"Sha256":null, -"WasExecutingWhileDetected":null, -"FileHash":"69484ca722b4285a234896a2e31707cbedc59ef9", -"IocUniqueId":"9DE735BA9FF87725E392C6DFBEB2AF279035CDE229FCC00D28C0F3242C5A50AF"} +[ +{ + "AlertTime": "2020-09-30T14:09:20.35743Z", + "ComputerDnsName": "mymachine1.domain.com", + "AlertTitle": "Suspicious File Activity", + "Category": "Malware", + "Severity": "High", + "AlertId": "da637370718981685665_16349121", + "Actor": "", + "LinkToWDATP": "https://securitycenter.windows.com/alert/da637370718981685665_16349121", + "IocName": "", + "IocValue": "", + "CreatorIocName": "", + "CreatorIocValue": "", + "Sha1": "aabbccddee1122334455aabbccddee1122334455", + "FileName": "cmdParent.exe", + "FilePath": "C:\\WINDOWS\\SysWOW64\\boo3\\qwerty", + "IpAddress": "", + "Url": "", + "IoaDefinitionId": "b20af1d2-5990-4672-87f1-acc2a8ff7725", + "UserName": "", + "AlertPart": 0, + "FullId": "da637370718981685665_16349121:R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=", + "LastProcessedTimeUtc": "2020-09-30T14:11:44.0779765Z", + "ThreatCategory": "", + "ThreatFamily": "", + "ThreatName": "", + "RemediationAction": "", + "RemediationIsSuccess": null, + "Source": "EDR", + "Md5": "854b85cbff2752fcb88606bca76f83c6", + "Sha256": "", + "WasExecutingWhileDetected": null, + "UserDomain": "", + "LogOnUsers": "", + "MachineDomain": "domain.com", + "MachineName": "mymachine1", + "InternalIPv4List": "", + "InternalIPv6List": "", + "FileHash": "aabbccddee1122334455aabbccddee1122334455", + "DeviceID": "deadbeef000040830ee54503926f556dcaf82bb0", + "MachineGroup": "", + "Description": "Test Alert", + "DeviceCreatedMachineTags": "", + "CloudCreatedMachineTags": "", + "CommandLine": "", + "IncidentLinkToWDATP": "https://securitycenter.windows.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ReportID": 1053729833, + "LinkToMTP": "https://security.microsoft.com/alert/da637370718981685665_16349121", + "IncidentLinkToMTP": "https://security.microsoft.com/incidents/byalert?alertId=da637370718981685665_16349121&source=SIEM", + "ExternalId": "31DD0A845DDA4059FDEDE031014645350AECABD3", + "IocUniqueId": "R4xEdgAvDb2LQl3BgHoA3NYqKmRSiIAG7dpxAJCYZhY=" +} +] ``` ## Code examples diff --git a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md index a902dc094d..1d8c035b5c 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md +++ b/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-api.md @@ -29,7 +29,9 @@ ms.topic: article ## Limitations 1. You can only run a query on data from the last 30 days. 2. The results will include a maximum of 100,000 rows. -3. The number of executions is limited per tenant: up to 10 calls per minute, 10 minutes of running time every hour and 4 hours of running time a day. +3. The number of executions is limited per tenant: + - API calls: Up to 15 calls per minute + - Execution time: 10 minutes of running time every hour and 4 hours of running time a day 4. The maximal execution time of a single request is 10 minutes. 5. 429 response will represent reaching quota limit either by number of requests or by CPU. The 429 response body will also indicate the time until the quota is renewed. diff --git a/windows/security/threat-protection/windows-firewall/TOC.md b/windows/security/threat-protection/windows-firewall/TOC.md index e5edff503e..34b7c1beb1 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.md +++ b/windows/security/threat-protection/windows-firewall/TOC.md @@ -96,6 +96,7 @@ ## [Best practices]() +### [Configuring the firewall](best-practices-configuring.md) ### [Securing IPsec](securing-end-to-end-ipsec-connections-by-using-ikev2.md) ### [PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) ### [Isolating Microsoft Store Apps on Your Network](isolating-apps-on-your-network.md) diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md new file mode 100644 index 0000000000..274baf82d2 --- /dev/null +++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md @@ -0,0 +1,212 @@ +--- +title: Best practices for configuring Windows Defender Firewall +description: Learn about best practices for configuring Windows Defender Firewall + +keywords: firewall, best practices, security, network security, network, rules, filters, + +ms.prod: w10 +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +ms.author: maccruz +author: schmurky +ms.localizationpriority: medium +manager: dansimp +audience: ITPro +ms.collection: M365-security-compliance +ms.topic: article + +--- + +# Best practices for configuring Windows Defender Firewall + +**Applies to** + +- Windows operating systems including Windows 10 + +- Windows Server Operating Systems + +Windows Defender Firewall with Advanced Security provides host-based, two-way +network traffic filtering and blocks unauthorized network traffic flowing into +or out of the local device. Configuring your Windows Firewall based on the +following best practices can help you optimize protection for devices in your +network. These recommendations cover a wide range of deployments including home +networks and enterprise desktop/server systems. + +To open Windows Firewall, go to the **Start** menu, select **Run**, +type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-windows-firewall-with-advanced-security). + +## Keep default settings + +When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect. + +![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png) + +*Figure 1: Windows Defender Firewall* + +1. **Domain profile**: Used for networks where there is a system of account authentication against a domain controller (DC), such as an Azure Active Directory DC + +2. **Private profile**: Designed for and best used + in private networks such as a home network + +3. **Public profile**: Designed with higher security in mind + for public networks like Wi-Fi hotspots, coffee shops, airports, hotels, or stores + +View detailed settings for each profile by right-clicking the top-level **Windows Defender Firewall with Advanced Security** node in the left pane and then selecting **Properties**. + +Maintain the default settings in Windows Defender +Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. + +![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png) + +*Figure 2: Default inbound/outbound settings* + +> [!IMPORTANT] +> To maintain maximum security, do not change the default Block setting for inbound connections. + +For more on configuring basic firewall settings, see [Turn on Windows Firewall and Configure Default Behavior](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior) and [Checklist: Configuring Basic Firewall Settings](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-configuring-basic-firewall-settings). + +## Understand rule precedence for inbound rules + +In many cases, a next step for administrators will be to customize these profiles using rules (sometimes called filters) so that they can work with user apps or other types of software. For example, an administrator or user may choose to add a rule to accommodate a program, open a port or protocol, or allow a predefined type of traffic. + +This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this: + +![Rule creation wizard](images/fw02-createrule.png) + +*Figure 3: Rule Creation Wizard* + +> [!NOTE] +>This article does not cover step-by-step rule +configuration. See the [Windows Firewall with Advanced Security Deployment +Guide](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide) +for general guidance on policy creation. + +In many cases, allowing specific types of inbound traffic will be required for +applications to function in the network. Administrators should keep the following rule precedence behaviors in mind when +allowing these inbound exceptions. + +1. Explicitly defined allow rules will take precedence over the default block setting. + +2. Explicit block rules will take precedence over any conflicting allow rules. + +3. More specific rules will take precedence over less specific rules, except in the case of explicit block rules as mentioned in 2. (For example, if the parameters of rule 1 includes an IP address range, while the parameters of rule 2 include a single IP host address, rule 2 will take precedence.) + +Because of 1 and 2, it is important that, when designing a set of policies, you make sure that there are no other explicit block rules in place that could inadvertently overlap, thus preventing the traffic flow you wish to allow. + +A general security best practice when creating inbound rules is to be as specific as possible. However, when new rules must be made that use ports or IP addresses, consider using consecutive ranges or subnets instead of individual addresses or ports where possible. This avoids creation of multiple filters under the hood, reduces complexity, and helps to avoid performance degradation. + +> [!NOTE] +> Windows Defender Firewall does not support traditional weighted, administrator-assigned rule ordering. An effective policy set with expected behaviors can be created by keeping in mind the few, consistent, and logical rule behaviors described above. + +## Create rules for new applications before first launch + +### Inbound allow rules + +When first installed, networked applications and services issue a listen call specifying the protocol/port information required for them to function properly. As there is a default block action in Windows Defender Firewall, it is necessary to create inbound exception rules to allow this traffic. It is common for the app or the app installer itself to add this firewall rule. Otherwise, the user (or firewall admin on behalf of the user) needs to manually create a rule. + +If there are no active application or administrator-defined allow rule(s), a dialog box will prompt the user to either allow or block an application's packets the first time the app is launched or tries to communicate in the network. + +- If the user has admin permissions, they will be prompted. If they respond *No* or cancel the prompt, block rules will be created. Two rules are typically created, one each for TCP and UDP traffic. + +- If the user is not a local admin, they will not be prompted. In most cases, block rules will be created. + +In either of the scenarios above, once these rules are added they must be deleted in order to generate the prompt again. If not, the traffic will continue to be blocked. + +> [!NOTE] +> The firewall's default settings are designed for security. Allowing all inbound connections by default introduces the network to various threats. Therefore, creating exceptions for inbound connections from third-party software should be determined by trusted app developers, the user, or the admin on behalf of the user. + + +### Known issues with automatic rule creation + +When designing a set of firewall policies for your network, it is a best practice to configure allow rules for any networked applications deployed on the host. Having these rules in place before the user first launches the application will help ensure a seamless experience. + +The absence of these staged rules does not necessarily mean that in the end an application will be unable to communicate on the network. However, the behaviors involved in the automatic creation of application rules at runtime requires user interaction. + +To determine why some applications are blocked from communicating in the network, check for the following: + +1. A user with sufficient privileges receives a query notification advising them that the application needs to make a change to the firewall policy. Not fully understanding the prompt, the user cancels or dismisses the prompt. + +2. A user lacks sufficient privileges and is therefore not prompted to allow the application to make the appropriate policy changes. + +3. Local Policy Merge is disabled, preventing the application or network service from creating local rules. + +![Windows Firewall prompt](images/fw04-userquery.png) + +*Figure 4: Dialog box to allow access* + +See also [Checklist: Creating Inbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-inbound-firewall-rules). + +## Establish local policy merge and application rules + +Firewall rules can be deployed: +1. Locally using the Firewall snap-in (**WF.msc**) +2. Locally using PowerShell +3. Remotely using Group Policy if the device is a member of an Active Directory Name, System Center Configuration Manager (SCCM), or Intune (using workplace join) + +Rule merging settings control how rules from different policy sources can be combined. Administrators can configure different merge behaviors for Domain, Private, and Public profiles. + +The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy. + +![Customize settings](images/fw05-rulemerge.png) + +*Figure 5: Rule merging setting* + +> [!TIP] +> In the firewall [configuration service provider](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp), the +equivalent setting is *AllowLocalPolicyMerge*. This setting can be found under each respective profile node, *DomainProfile*, *PrivateProfile*, and *PublicProfile*. + +If merging of local policies is disabled, centralized deployment of rules is required for any app that needs inbound connectivity. + +Admins may disable *LocalPolicyMerge* in high security environments to maintain tighter control over endpoints. This can impact some apps and services that automatically generate a local firewall policy upon installation as discussed above. For these types of apps and services to work, admins should push rules centrally via group policy (GP), Mobile Device +Management (MDM), or both (for hybrid or co-management environments). + +[Firewall CSP](https://docs.microsoft.com/windows/client-management/mdm/firewall-csp) and [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) also have settings that can affect rule merging. + +As a best practice, it is important to list and log such apps, including the network ports used for communications. Typically, you can find what ports must be open for a given service on the app's website. For more complex or customer application deployments, a more thorough analysis may be needed using network packet capture tools. + +In general, to maintain maximum security, admins should only push firewall exceptions for apps and services determined to serve legitimate purposes. + + + +> [!NOTE] +> The use of wildcard patterns, such as *C:\*\\teams.exe* is not +supported in application rules. We currently only support rules created using the full path to the application(s). + +## Know how to use "shields up" mode for active attacks + +An important firewall feature you can use to mitigate damage during an active attack is the "shields up" mode. It is an informal term referring to an easy method a firewall administrator can use to temporarily increase security in the face of an active attack. + +Shields up can be achieved by checking **Block all +incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*. + +![Incoming connections](images/fw06-block.png) + +*Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type* + +![Firewall cpl](images/fw07-legacy.png) + +*Figure 7: Legacy firewall.cpl* + +By default, the Windows Defender Firewall will block everything unless there is an exception rule created. This setting overrides the exceptions. + +For example, the Remote Desktop feature automatically creates firewall rules when enabled. However, if there is an active exploit using multiple ports and services on a host, you can, instead of disabling individual rules, use the shields up mode to block all inbound connections, overriding previous exceptions, including the rules for Remote Desktop. The Remote Desktop rules remain intact but remote access will not work as long as shields up is activated. + +Once the emergency is over, uncheck the setting to restore regular network traffic. + +## Create outbound rules + +What follows are a few general guidelines for configuring outbound rules. + +- The default configuration of Blocked for Outbound rules can be + considered for certain highly secure environments. However, the Inbound rule configuration should never be changed in a way that Allows traffic by default. + +- It is recommended to Allow Outbound by default for most deployments for the sake of simplification around app deployments, unless the enterprise prefers tight security controls over ease-of-use. + +- In high security environments, an inventory of all enterprise-spanning apps must be taken and logged by the administrator or administrators. Records must include whether an app used requires network connectivity. Administrators will need to create new rules specific to each app that needs network connectivity and push those rules centrally, via group policy (GP), Mobile Device Management (MDM), or both (for hybrid or co-management environments). + +For tasks related to creating outbound rules, see [Checklist: Creating Outbound Firewall Rules](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/checklist-creating-outbound-firewall-rules). + +## Document your changes + +When creating an inbound or outbound rule, you should specify details about the app itself, the port range used, and important notes like creation date. Rules must be well-documented for ease of review both by you and other admins. We highly encourage taking the time to make the work of reviewing your firewall rules at a later date easier. And *never* create unnecessary holes in your firewall. diff --git a/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png new file mode 100644 index 0000000000..c1aa416fdf Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw01-profiles.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png new file mode 100644 index 0000000000..5c8f858f52 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw02-createrule.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png new file mode 100644 index 0000000000..cfc1daea37 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw03-defaults.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png new file mode 100644 index 0000000000..85f7485479 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw04-userquery.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png new file mode 100644 index 0000000000..74c49fab7b Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw05-rulemerge.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw06-block.png b/windows/security/threat-protection/windows-firewall/images/fw06-block.png new file mode 100644 index 0000000000..2909fa51d3 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw06-block.png differ diff --git a/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png new file mode 100644 index 0000000000..a8d15e6e31 Binary files /dev/null and b/windows/security/threat-protection/windows-firewall/images/fw07-legacy.png differ