deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-15 14:57:23 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Merge branch 'master' into wdeg-working

Browse Source
This commit is contained in:
Iaan D'Souza-Wiltshire 2017-08-29 10:57:55 -07:00
commit e987675d0a
279 changed files with 11286 additions and 3218 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
devices/surface-hub/TOC.md
View File

@ -33,6 +33,7 @@
### [Install apps on your Surface Hub](install-apps-on-surface-hub.md)
### [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md)
### [End a Surface Hub meeting with End session](i-am-done-finishing-your-surface-hub-meeting.md)
### [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md)
### [Save your BitLocker key](save-bitlocker-key-surface-hub.md)
### [Connect other devices and display with Surface Hub](connect-and-display-with-surface-hub.md)
### [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md)

9
devices/surface-hub/change-history-surface-hub.md
View File

@ -18,9 +18,14 @@ This topic lists new and updated topics in the [Surface Hub Admin Guide]( surfac
## August 2017
New or changed topic | Description
--- | ---
| New or changed topic | Description |
| --- | --- |
[Accessibility](accessibility-surface-hub.md) | Added information about Narrator
[Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | New
## July 2017

BIN
devices/surface-hub/images/approve-signin.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
devices/surface-hub/images/approve-signin2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
devices/surface-hub/images/attendees.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 46 KiB

BIN
devices/surface-hub/images/mfa-options.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 70 KiB

BIN
devices/surface-hub/images/sign-in.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 120 KiB

1
devices/surface-hub/manage-surface-hub.md
View File

@ -34,6 +34,7 @@ Learn about managing and updating Surface Hub.
| [Install apps on your Surface Hub]( https://technet.microsoft.com/itpro/surface-hub/install-apps-on-surface-hub) | Admins can install apps can from either the Microsoft Store or the Microsoft Store for Business.|
| [Set up and use Whiteboard to Whiteboard collaboration](whiteboard-collaboration.md) | Microsoft Whiteboards latest update includes the capability for two Surface Hubs to collaborate in real time on the same board. |
| [End a meeting with End session](https://technet.microsoft.com/itpro/surface-hub/i-am-done-finishing-your-surface-hub-meeting) | At the end of a meeting, users can tap **End session** to clean up any sensitive data and prepare the device for the next meeting.|
| [Sign in to Surface Hub with Microsoft Authenticator](surface-hub-authenticator-app.md) | You can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS. |
| [Save your BitLocker key](https://technet.microsoft.com/itpro/surface-hub/save-bitlocker-key-surface-hub) | Every Surface Hub is automatically set up with BitLocker drive encryption software. Microsoft strongly recommends that you make sure you back up your BitLocker recovery keys.|
| [Connect other devices and display with Surface Hub](https://technet.microsoft.com/itpro/surface-hub/connect-and-display-with-surface-hub) | You can connect other device to your Surface Hub to display content.|
| [Miracast on existing wireless network or LAN](miracast-over-infrastructure.md) | You can use Miracast on your wireless network or LAN to connect to Surface Hub. |

89
devices/surface-hub/surface-hub-authenticator-app.md Normal file
View File

@ -0,0 +1,89 @@
---
title: Sign in to Surface Hub with Microsoft Authenticator
description: Use Microsoft Authenticator on your mobile device to sign in to Surface Hub.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: surfacehub
author: jdeckerms
ms.author: jdecker
ms.date: 07/27/2017
localizationpriority: medium
---
# Sign in to Surface Hub with Microsoft Authenticator
People in your organization can sign in to a Surface Hub without a password using the Microsoft Authenticator app, available on Android and iOS.
## Organization prerequisites
To let people in your organization sign in to Surface Hub with their phones and other devices instead of a password, youll need to make sure that your organization meets these prerequisites:
- Your organization must be a hybrid or cloud-only organization, backed by Azure Active Directory (Azure AD). For more information, see [What is Azure Active Directory?](https://docs.microsoft.com/azure/active-directory/active-directory-whatis)
- Make sure you have at minimum an Office 365 E3 subscription.
- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected.
![multi-factor authentication options](images/mfa-options.png)
- Enable content hosting on Azure AD services such as Office online, SharePoint, etc.
- Surface Hub must be running Windows 10, version 1703 or later.
- Surface Hub is set up with either a local or domain-joined account.
Currently, you cannot use Microsoft Authenticator to sign in to Surface Hubs that are joined to an Active Directory domain or to Azure AD.
## Individual prerequisites
- An Android phone running 6.0 or later, or an iPhone or iPad running iOS9 or later
- The most recent version of the Microsoft Authenticator app from the appropriate app store
>[!NOTE]
>On iOS, the app version must be 5.4.0 or higher.
>
>The Microsoft Authenticator app on phones running a Windows operating system can't be used to sign in to Surface Hub.
- Passcode or screen lock on your device is enabled
- A standard SMTP email address (example: joe@contoso.com). Non-standard or vanity SMTP email addresses (example: firstname.lastname@contoso.com) currently dont work.
## How to set up the Microsoft Authenticator app
>[!NOTE]
>If Company Portal is installed on your Android device, uninstall it before you set up Microsoft Authenticator. After you set up the app, you can reinstall Company Portal.
>
>If you have already set up Microsoft Authenticator on your phone and registered your device, go to the [sign-in instructions](#signin).
1. Add your work or school account to Microsoft Authenticator for Multi-Factor Authentication. You will need a QR code provided by your IT department. For help, see [Get started with the Microsoft Authenticator app](https://docs.microsoft.com/azure/multi-factor-authentication/end-user/microsoft-authenticator-app-how-to).
2. Go to **Settings** and register your device.
1. Return to the accounts page and choose **Enable phone sign-in** from the account dropdown menu.
<span id="signin" />
## How to sign in to Surface Hub during a meeting
1. After youve set up a meeting, go to the Surface Hub and select **Sign in to see your meetings and files**.
>[!NOTE]
>If youre not sure how to schedule a meeting on a Surface Hub, see [Schedule a meeting on Surface Hub](https://support.microsoft.com/help/17325/surfacehub-schedulemeeting).
![screenshot of Sign in option on Surface Hub](images/sign-in.png)
2. Youll see a list of the people invited to the meeting. Select yourself (or the person who wants to sign in make sure this person has gone through the steps to set up their device before your meeting), and then select **Continue**.
![screenshot of list of attendees in a meeting](images/attendees.png)
You'll see a code on the Surface Hub.
![screenshot of code for Approve Sign in](images/approve-signin.png)
3. To approve the sign-in, open the Authenticator app, enter the four-digit code thats displayed on the Surface Hub, and select **Approve**. You will then be asked to enter the PIN or use your fingerprint to complete the sign in.
![screenshot of the Approve sign-in screen in Microsoft Authenticator](images/approve-signin2.png)
You can now access all files through the OneDrive app.

2
devices/surface-hub/surface-hub-downloads.md
View File

@ -23,7 +23,7 @@ This topic provides links to useful Surface Hub documents, such as product datas
| [Surface Hub User Guide (PDF)](http://download.microsoft.com/download/3/6/B/36B6331E-0C63-4E71-A05D-EE88D05081F8/surface-hub-user-guide-en-us.pdf) | Learn how to use Surface Hub in scheduled or ad-hoc meetings. Invite remote participants, use the built-in tools, save data from your meeting, and more. |
| [Surface Hub Replacement PC Drivers](https://www.microsoft.com/download/details.aspx?id=52210) | The Surface Hub Replacement PC driver set is available for those customers who have chosen to disable the Surface Hubs internal PC and use an external computer with their 84” or 55” Surface Hub. This download is meant to be used with the Surface Hub Admin Guide , which contains further details on configuring a Surface Hub Replacement PC. |
| [Surface Hub SSD Replacement Guide (PDF)](https://www.microsoft.com/surface/en-us/support/surfacehubssd) | Learn how to replace the solid state drive (SSD) for the 55- and 84-inch Surface Hub. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface%20Hub%20RASK.zip) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Microsoft Surface Hub Rollout and Adoption Success Kit (ZIP)](http://download.microsoft.com/download/F/A/3/FA3ADEA4-4966-456B-8BDE-0A594FD52C6C/Surface_Hub_Adoption_Kit_Final_0519.pdf) | Best practices for generating awareness and implementing change management to maximize adoption, usage, and benefits of Microsoft Surface Hub. The Rollout and Adoption Success Kit zip file includes the Rollout and Adoption Success Kit detailed document, Surface Hub presentation, demo guidance, awareness graphics, and more. |
| [Unpacking Guide for 84-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-84) | Learn how to unpack your 84-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/75/2b/752b73dc-6e9d-4692-8ba1-0f9fc03bff6b.mov?n=04.07.16_installation_video_03_unpacking_84.mov) |
| [Unpacking Guide for 55-inch Surface Hub (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-unpacking-guide-55) | Learn how to unpack your 55-inch Surface Hub efficiently and safely. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/a9/d6/a9d6b4d7-d33f-4e8b-be92-28f7fc2c06d7.mov?n=04.07.16_installation_video_02_unpacking_55.mov) |
| [Wall Mounting and Assembly Guide (PDF)](https://www.microsoft.com/surface/support/surface-hub/surface-hub-wall-mounting-assembly-guide) | Detailed instructions on how to safely and securely assemble the wall brackets, and how to mount your Surface Hub onto them. [Watch the video (opens in a pop-up media player)](http://compass.xbox.com/assets/bf/4d/bf4d6f06-370c-45ee-88e6-c409873914e8.mov?n=04.07.16_installation_video_05_wall_mount.mov) |

2
mdop/dart-v8/creating-the-dart-80-recovery-image-dart-8.md
View File

@ -189,7 +189,7 @@ The available image file types are:
- **Windows Imaging File (WIM)** - used to deploy DaRT to a preboot execution environment (PXE) or local partition).
- **International Standards Organization (ISO)** used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
- **ISO image file** used to deploy to CD or DVD, or for use in virtual machines (VM)s). The wizard requires that the ISO image have an .iso file name extension because most programs that burn a CD or DVD require that extension. If you do not specify a different location, the ISO image is created on your desktop with the name DaRT8.ISO.
- **PowerShell script** creates a DaRT recovery image with commands that provide essentially the same options that you can select by using the DaRT Recovery Image wizard. The script also enables you to add or changes files in the DaRT recovery image.

8
mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
View File

@ -89,6 +89,14 @@ You can use your preferred method to view WMI. If you use PowerShell, run `gwmi
<td align="left"><p>14</p></td>
<td align="left"><p>AutoUnlock unsafe unless the OS volume is encrypted.</p></td>
</tr>
<tr class="even">
<td align="left"><p>15</p></td>
<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-128 bit, actual cypher strength is weaker than that.</p></td>
</tr>
<tr class="odd">
<td align="left"><p>16</p></td>
<td align="left"><p>Policy requires minimum cypher strength is XTS-AES-256 bit, actual cypher strength is weaker than that.</p></td>
</tr>
</tbody>
</table>

20
windows/access-protection/credential-guard/additional-mitigations.md
View File

@ -1,6 +1,6 @@
---
title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
title: Additional mitigations
description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -11,11 +11,11 @@ author: brianlic-msft
## Additional mitigations
Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, re-using previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
#### Kerberos armoring
@ -25,11 +25,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
#### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@ -59,7 +59,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
8. Under **Issuance Policies**, click**High Assurance**.
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
**Enrolling devices in a certificate**
@ -126,7 +126,7 @@ Authentication policies have the following requirements:
To make tracking authentication failures due to authentication policies easier, an operational log exists with just those events. To enable the logs on the domain controllers, in Event Viewer, navigate to **Applications and Services Logs\\Microsoft\\Windows\\Authentication, right-click AuthenticationPolicyFailures-DomainController**, and then click **Enable Log**.
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/en-us/library/dn486813(v=ws.11).aspx).
To learn more about authentication policy events, see [Authentication Policies and Authentication Policy Silos](https://technet.microsoft.com/library/dn486813(v=ws.11).aspx).
### Appendix: Scripts
@ -607,6 +607,6 @@ write-host $tmp -Foreground Red
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

28
windows/access-protection/credential-guard/credential-guard-considerations.md
View File

@ -1,6 +1,6 @@
---
title: Considerations when using Credential Guard (Windows 10)
description: Considerations and recommendations for certain scenarios when using Credential Guard in Windows 10.
title: Considerations when using Windows Defender Credential Guard (Windows 10)
description: Considerations and recommendations for certain scenarios when using Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,35 +9,35 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Considerations when using Credential Guard
# Considerations when using Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
in the Deep Dive into Credential Guard video series.
Prefer video? See [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474)
in the **Deep Dive into Windows Defender Credential Guard** video series.
- Passwords are still weak so we recommend that your organization deploy Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Credential Guard. Credential Guard does not allow 3rd party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Credential Guard are increased, subsequent releases of Windows 10 with Credential Guard running may impact scenarios that were working in the past. For example, Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Credential Guard running.
- Passwords are still weak so we recommend that your organization deploy Windows Defender Credential Guard and move away from passwords and to other authentication methods, such as physical smart cards, virtual smart cards, or Windows Hello for Business.
- Some 3rd party Security Support Providers (SSPs and APs) might not be compatible with Windows Defender Credential Guard because it does not allow third-party SSPs to ask for password hashes from LSA. However, SSPs and APs still get notified of the password when a user logs on and/or changes their password. Any use of undocumented APIs within custom SSPs and APs are not supported. We recommend that custom implementations of SSPs/APs are tested against Windows Defender Credential Guard to ensure that the SSPs and APs do not depend on any undocumented or unsupported behaviors. For example, using the KerbQuerySupplementalCredentialsMessage API is not supported. You should not replace the NTLM or Kerberos SSPs with custom SSPs and APs. For more info, see [Restrictions around Registering and Installing a Security Package](http://msdn.microsoft.com/library/windows/desktop/dn865014.aspx) on MSDN.
- As the depth and breadth of protections provided by Windows Defender Credential Guard are increased, subsequent releases of Windows 10 with Windows Defender Credential Guard running may impact scenarios that were working in the past. For example, Windows Defender Credential Guard may block the use of a particular type of credential or a particular component to prevent malware from taking advantage of vulnerabilities. Therefore, we recommend that scenarios required for operations in an organization are tested before upgrading a device that has Windows Defender Credential Guard running.
- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Credential Guard protections for Credential Manager:
- Starting with Windows 10, version 1511, domain credentials that are stored with Credential Manager are protected with Windows Defender Credential Guard. Credential Manager allows you to store credentials, such as user names and passwords that you use to log on to websites or other computers on a network. The following considerations apply to the Windows Defender Credential Guard protections for Credential Manager:
- Credentials saved by Remote Desktop Services cannot be used to remotely connect to another machine without supplying the password. Attempts to use saved credentials will fail, displaying the error message "Logon attempt failed".
- Applications that extract derived domain credentials from Credential Manager will no longer be able to use those credentials.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Credential Guard. Otherwise, you won't be able to restore those credentials.
- Credential Guard uses hardware security so some features, such as Windows To Go, are not supported.
- You cannot restore credentials using the Credential Manager control panel if the credentials were backed up from a PC that has Windows Defender Credential Guard turned on. If you need to back up your credentials, you must do this before you enable Windows Defender Credential Guard. Otherwise, you won't be able to restore those credentials.
- Windows Defender Credential Guard uses hardware security, so some features such as Windows To Go, are not supported.
## Wi-fi and VPN Considerations
When you enable Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
When you enable Windows Defender Credential Guard, you can no longer use NTLM v1 authentication. If you are using WiFi and VPN endpoints that are based on MS-CHAPv2, they are subject to similar attacks as for NTLMv1. For WiFi and VPN connections, Microsoft recommends that organizations move from MSCHAPv2-based connections such as PEAP-MSCHAPv2 and EAP-MSCHAPv2, to certificate-based authentication such as PEAP-TLS or EAP-TLS.
## Kerberos Considerations
When you enable Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
When you enable Windows Defender Credential Guard, you can no longer use Kerberos unconstrained delegation or DES encryption. Unconstrained delegation could allow attackers to extract Kerberos keys from the isolated LSA process. You must use constrained or resource-based Kerberos delegation instead.
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)

21
windows/access-protection/credential-guard/credential-guard-how-it-works.md
View File

@ -1,6 +1,6 @@
---
title: How Credential Guard works
description: Using virtualization-based security, Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
title: How Windows Defender Credential Guard works
description: Using virtualization-based security, Windows Defender Credential Guard features a new component called the isolated LSA process, which stores and protects secrets, isolating them from the rest of the operating system, so that only privileged system software can access them.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,36 +9,35 @@ ms.localizationpriority: high
author: brianlic-msft
---
# How Credential Guard works
# How Windows Defender Credential Guard works
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the Deep Dive into Credential Guard video series.
Prefer video? See [Windows Defender Credential Guard Design](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=mD3geLJyC_8304300474) in the **Deep Dive into Windows Defender Credential Guard** video series.
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
Kerberos, NTLM, and Credential manager isolate secrets by using virtualization-based security. Previous versions of Windows stored secrets in the Local Security Authority (LSA). Prior to Windows 10, the LSA stored secrets used by the operating system in its process memory. With Windows Defender Credential Guard enabled, the LSA process in the operating system talks to a new component called the isolated LSA process that stores and protects those secrets. Data stored by the isolated LSA process is protected using virtualization-based security and is not accessible to the rest of the operating system. LSA uses remote procedure calls to communicate with the isolated LSA process.
For security reasons, the isolated LSA process doesn't host any device drivers. Instead, it only hosts a small subset of operating system binaries that are needed for security and nothing else. All of these binaries are signed with a certificate that is trusted by virtualization-based security and these signatures are validated before launching the file in the protected environment.
When Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
When Windows Defender Credential Guard is enabled, NTLMv1, MS-CHAPv2, Digest, and CredSSP cannot use the signed-in credentials. Thus, single sign-on does not work with these protocols. However, applications can prompt for credentials or use credentials stored in the Windows Vault which are not protected by Windows Defender Credential Guard with any of these protocols. It is strongly recommended that valuable credentials, such as the sign-in credentials, not be used with any of these protocols. If these protocols must be used by domain or Azure AD users, secondary credentials should be provisioned for these use cases.
When Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
When Windows Defender Credential Guard is enabled, Kerberos does not allow unconstrained Kerberos delegation or DES encryption, not only for signed-in credentials, but also prompted or saved credentials.
Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
![Credential Guard overview](images/credguard.png)
![Windows Defender Credential Guard overview](images/credguard.png)
<br>
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474)
[Virtualization-based security](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=1CoELLJyC_6704300474)
[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)

51
windows/access-protection/credential-guard/credential-guard-known-issues.md
View File

@ -1,6 +1,6 @@
---
title: Credential Guard Known issues (Windows 10)
description: Credential Guard - Known issues in Windows 10 Enterprise
title: Windows Defender Credential Guard - Known issues (Windows 10)
description: Windows Defender Credential Guard - Known issues in Windows 10 Enterprise
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,22 +9,22 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Credential Guard: Known issues
# Windows Defender Credential Guard: Known issues
**Applies to**
- Windows 10
- Windows Server 2016
Credential Guard has certain application requirements. Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when Credential Guard is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
Windows Defender Credential Guard has certain application requirements. Windows Defender Credential Guard blocks specific authentication capabilities. Therefore applications that require such capabilities will not function when it is enabled. For further information, see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following known issues have been fixed by servicing releases made available in the Cumulative Security Updates for April 2017:
- [KB4015217 Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
- [KB4015217 Windows Defender Credential Guard generates double bad password count on Active Directory domain-joined Windows 10 machines](https://support.microsoft.com/help/4015217/windows-10-update-kb4015217)
This issue can potentially lead to unexpected account lockouts. See also Microsoft® Knowledge Base articles [KB4015219](https://support.microsoft.com/help/4015219/windows-10-update-kb4015219) and [KB4015221](https://support.microsoft.com/help/4015221/windows-10-update-kb4015221)
- [KB4033236 Two incorrect logon attempts sent to Active Directory after Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
- [KB4033236 Two incorrect logon attempts sent to Active Directory after Windows Defender Credential Guard installed on Windows 10](https://support.microsoft.com/help/4033236/two-incorrect-logon-attempts-sent-to-active-directory-after-credential?preview)
This issue can potentially lead to unexpected account lockouts. The issue was fixed in servicing updates for each of the following operating systems:
@ -37,29 +37,28 @@ The following known issues have been fixed by servicing releases made available
The following issue affects the Java GSS API. See the following Oracle bug database article:
- [JDK-8161921: Windows 10 Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
- [JDK-8161921: Windows 10 Windows Defender Credential Guard does not allow sharing of TGT with Java](http://bugs.java.com/bugdatabase/view_bug.do?bug_id=8161921)
When Windows Defender Credential Guard is enabled on Windows 10, the Java GSS API will not authenticate. This is expected behavior because Windows Defender Credential Guard blocks specific application authentication capabilities and will not provide the TGT session key to applications regardless of registry key settings. For further information see [Application requirements](https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-requirements#application-requirements).
The following issue affects Cisco AnyConnect Secure Mobility Client:
- [Blue screen on Windows 10 computers running Device Guard and Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
- [Blue screen on Windows 10 computers running Windows Defender Device Guard and Windows Defender Credential Guard with Cisco Anyconnect 4.3.04027](https://quickview.cloudapps.cisco.com/quickview/bug/CSCvc66692) \*
*Registration required to access this article.
The following issue affects McAfee Application and Change Control (MACC):
- [KB88869 Windows 10 machines exhibit high CPU sage with McAfee Application and Change Control (MACC) installed when Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
- [KB88869 Windows 10 machines exhibit high CPU usage with McAfee Application and Change Control (MACC) installed when Windows Defender Credential Guard is enabled](https://kc.mcafee.com/corporate/index?page=content&id=KB88869) <sup>[1]</sup>
The following issue affects AppSense Environment Manager.
For further information, see the following Knowledge Base article:
- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
- [Installing AppSense Environment Manager on Windows 10 machines causes LSAISO.exe to exhibit high CPU usage when Windows Defender Credential Guard is enabled](http://www.appsense.com/kb/160525073917945) <sup>[1]</sup> \**
The following issue affects Citrix applications:
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Credential Guard is enabled. <sup>[1]</sup>
- Windows 10 machines exhibit high CPU usage with Citrix applications installed when Windows Defender Credential Guard is enabled. <sup>[1]</sup>
<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
<sup>[1]</sup> Products that connect to Virtualization Based Security (VBS) protected processes can cause Windows Defender Credential Guard-enabled Windows 10 or Windows Server 2016 machines to exhibit high CPU usage. For technical and troubleshooting information, see the following Microsoft Knowledge Base article:
- [KB4032786 High CPU usage in the LSAISO process on Windows 10 or Windows Server 2016](https://support.microsoft.com/help/4032786)
@ -74,23 +73,23 @@ For further technical information on LSAISO.exe, see the MSDN article: [Isolated
See the following article on Citrix support for Secure Boot:
- [Citrix Support for Secure Boot](https://www.citrix.com/blogs/2016/12/08/windows-server-2016-hyper-v-secure-boot-support-now-available-in-xenapp-7-12/)
Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
Windows Defender Credential Guard is not supported by either these products, products versions, computer systems, or Windows 10 versions:
- For Credential Guard on Windows 10 with McAfee Encryption products, see:
[Support for Device Guard and Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Windows Defender Credential Guard on Windows 10 with McAfee Encryption products, see:
[Support for Windows Defender Device Guard and Windows Defender Credential Guard on Windows 10 with McAfee encryption products](https://kc.mcafee.com/corporate/index?page=content&id=KB86009)
- For Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows 10 Credential Guard and Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Windows Defender Credential Guard on Windows 10 with Check Point Endpoint Security Client, see:
[Check Point Endpoint Security Client support for Microsoft Windows 10 Windows Defender Credential Guard and Windows Defender Device Guard features](https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113912)
- For Credential Guard on Windows 10 with VMWare Workstation
[Windows 10 host fails when running VMWare Workstation when Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Windows Defender Credential Guard on Windows 10 with VMWare Workstation
[Windows 10 host fails when running VMWare Workstation when Windows Defender Credential Guard is enabled](https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2146361)
- For Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
[ThinkPad support for Device Guard and Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Windows Defender Credential Guard on Windows 10 with specific versions of the Lenovo ThinkPad
[ThinkPad support for Windows Defender Device Guard and Windows Defender Credential Guard in Microsoft Windows 10 ThinkPad](https://support.lenovo.com/in/en/solutions/ht503039)
- For Credential Guard on Windows 10 with Symantec Endpoint Protection
[Windows 10 with Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
- For Windows Defender Credential Guard on Windows 10 with Symantec Endpoint Protection
[Windows 10 with Windows Defender Credential Guard and Symantec Endpoint Protection 12.1](https://www.symantec.com/connect/forums/windows-10-device-guard-credentials-guard-and-sep-121)
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Credential guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Credential Guard.
This is not a comprehensive list. Check whether your product vendor, product version, or computer system, supports Windows Defender Credential Guard on systems that run Windows 10 or specific versions of Windows 10. Specific computer system models may be incompatible with Windows Defender Credential Guard.
Microsoft encourages third-party vendors to contribute to this page by providing relevant product support information and by adding links to their own product support statements.

92
windows/access-protection/credential-guard/credential-guard-manage.md
View File

@ -1,6 +1,6 @@
---
title: Manage Credential Guard (Windows 10)
description: Deploying and managing Credential Guard using Group Policy, the registry, or the Device Guard and Credential Guard hardware readiness tool.
title: Manage Windows Defender Credential Guard (Windows 10)
description: Deploying and managing Windows Defender Credential Guard using Group Policy, the registry, or the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,38 +9,38 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Manage Credential Guard
# Manage Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Credential Guard video series.
Prefer video? See [Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474) in the Deep Dive into Windows Defender Credential Guard video series.
## Enable Credential Guard
Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Device Guard and Credential Guard [hardware readiness tool](#hardware-readiness-tool). Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Credential Guard on physical machines applies also to virtual machines.
## Enable Windows Defender Credential Guard
Windows Defender Credential Guard can be enabled either by using [Group Policy](#enable-credential-guard-by-using-group-policy), the [registry](#enable-credential-guard-by-using-the-registry), or the Windows Defender Device Guard and Windows Defender Credential Guard [hardware readiness tool](#hardware-readiness-tool). Windows Defender Credential Guard can also protect secrets in a Hyper-V virtual machine, just as it would on a physical machine.
The same set of procedures used to enable Windows Defender Credential Guard on physical machines applies also to virtual machines.
### Enable Credential Guard by using Group Policy
### Enable Windows Defender Credential Guard by using Group Policy
You can use Group Policy to enable Credential Guard. This will add and enable the virtualization-based security features for you if needed.
You can use Group Policy to enable Windows Defender Credential Guard. This will add and enable the virtualization-based security features for you if needed.
1. From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard**.
1. From the Group Policy Management Console, go to **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Windows Defender Device Guard**.
2. Double-click **Turn On Virtualization Based Security**, and then click the **Enabled** option.
3. **Select Platform Security Level** box, choose **Secure Boot** or **Secure Boot and DMA Protection**.
4. In the **Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Credential Guard remotely, choose **Enabled without lock**.
4. In the **Windows Defender Credential Guard Configuration** box, click **Enabled with UEFI lock**, and then click **OK**. If you want to be able to turn off Windows Defender Credential Guard remotely, choose **Enabled without lock**.
![Credential Guard Group Policy setting](images/credguard-gp.png)
![Windows Defender Credential Guard Group Policy setting](images/credguard-gp.png)
5. Close the Group Policy Management Console.
To enforce processing of the group policy, you can run ```gpupdate /force```.
### Enable Credential Guard by using the registry
### Enable Windows Defender Credential Guard by using the registry
If you don't use Group Policy, you can enable Credential Guard by using the registry. Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
If you don't use Group Policy, you can enable Windows Defender Credential Guard by using the registry. Windows Defender Credential Guard uses virtualization-based security features which have to be enabled first on some operating systems.
#### Add the virtualization-based security features
@ -49,7 +49,7 @@ Starting with Windows 10, version 1607 and Windows Server 2016, enabling Windows
If you are using Windows 10, version 1507 (RTM) or Windows 10, version 1511, Windows features have to be enabled to use virtualization-based security.
You can do this by using either the Control Panel or the Deployment Image Servicing and Management tool (DISM).
> [!NOTE]
If you enable Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
If you enable Windows Defender Credential Guard by using Group Policy, the steps to enable Windows features through Control Panel or DISM are not required. Group Policy will install Windows features for you.
 
**Add the virtualization-based security features by using Programs and Features**
@ -75,46 +75,46 @@ If you enable Credential Guard by using Group Policy, the steps to enable Window
> [!NOTE]
> You can also add these features to an online image by using either DISM or Configuration Manager.
#### Enable virtualization-based security and Credential Guard
#### Enable virtualization-based security and Windows Defender Credential Guard
1. Open Registry Editor.
2. Enable virtualization-based security:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\DeviceGuard.
- Add a new DWORD value named **EnableVirtualizationBasedSecurity**. Set the value of this registry setting to 1 to enable virtualization-based security and set it to 0 to disable it.
- Add a new DWORD value named **RequirePlatformSecurityFeatures**. Set the value of this registry setting to 1 to use **Secure Boot** only or set it to 3 to use **Secure Boot and DMA protection**.
3. Enable Credential Guard:
3. Enable Windows Defender Credential Guard:
- Go to HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Credential Guard with UEFI lock, set it to 2 to enable Credential Guard without lock, and set it to 0 to disable it.
- Add a new DWORD value named **LsaCfgFlags**. Set the value of this registry setting to 1 to enable Windows Defender Credential Guard with UEFI lock, set it to 2 to enable Windows Defender Credential Guard without lock, and set it to 0 to disable it.
4. Close Registry Editor.
> [!NOTE]
> You can also enable Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
> You can also enable Windows Defender Credential Guard by setting the registry entries in the [FirstLogonCommands](http://msdn.microsoft.com/library/windows/hardware/dn922797.aspx) unattend setting.
<span id="hardware-readiness-tool" />
### Enable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
### Enable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also enable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also enable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Enable -AutoReboot
```
### Review Credential Guard performance
### Review Windows Defender Credential Guard performance
**Is Credential Guard running?**
**Is Windows Defender Credential Guard running?**
You can view System Information to check that Credential Guard is running on a PC.
You can view System Information to check that Windows Defender Credential Guard is running on a PC.
1. Click **Start**, type **msinfo32.exe**, and then click **System Information**.
2. Click **System Summary**.
3. Confirm that **Credential Guard** is shown next to **Device Guard Security Services Running**.
3. Confirm that **Windows Defender Credential Guard** is shown next to **Windows Defender Device Guard Security Services Running**.
Here's an example:
![System Information](images/credguard-msinfo32.png)
You can also check that Credential Guard is running by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also check that Windows Defender Credential Guard is running by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Ready
@ -124,24 +124,24 @@ DG_Readiness_Tool_v3.2.ps1 -Ready
For client machines that are running Windows 10 1703, LSAIso is running whenever Virtualization based security is enabled for other features.
- If Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Credential Guard should be enabled before the PC is joined to a domain.
- If Windows Defender Credential Guard is enabled on a device after it's joined to a domain, the user and device secrets may already be compromised. We recommend that Windows Defender Credential Guard should be enabled before the PC is joined to a domain.
- You should perform regular reviews of the PCs that have Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Credential Guard (LsaIso.exe) configuration: 0x1, 0
- The first variable: 0x1 means Credential Guard is configured to run. 0x0 means its not configured to run.
- You should perform regular reviews of the PCs that have Windows Defender Credential Guard enabled. This can be done with security audit policies or WMI queries. Here's a list of WinInit event IDs to look for:
- **Event ID 13** Windows Defender Credential Guard (LsaIso.exe) was started and will protect LSA credentials.
- **Event ID 14** Windows Defender Credential Guard (LsaIso.exe) configuration: 0x1, 0
- The first variable: 0x1 means Windows Defender Credential Guard is configured to run. 0x0 means its not configured to run.
- The second variable: 0 means its configured to run in protect mode. 1 means it's configured to run in test mode. This variable should always be 0.
- **Event ID 15** Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Credential Guard.
- **Event ID 16** Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
- **Event ID 15** Windows Defender Credential Guard (LsaIso.exe) is configured but the secure kernel is not running; continuing without Windows Defender Credential Guard.
- **Event ID 16** Windows Defender Credential Guard (LsaIso.exe) failed to launch: \[error code\]
- **Event ID 17** Error reading Windows Defender Credential Guard (LsaIso.exe) UEFI configuration: \[error code\]
You can also verify that TPM is being used for key protection by checking Event ID 51 in the **Microsoft** -&gt; **Windows** -&gt; **Kernel-Boot** event source. If you are running with a TPM, the TPM PCR mask value will be something other than 0.
- **Event ID 51** VSM Master Encryption Key Provisioning. Using cached copy status: 0x0. Unsealing cached copy status: 0x1. New key generation status: 0x1. Sealing status: 0x1. TPM PCR mask: 0x0.
## Disable Credential Guard
## Disable Windows Defender Credential Guard
If you have to disable Credential Guard on a PC, you can use the following set of procedures, or you can [use the Device Guard and Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
If you have to disable Windows Defender Credential Guard on a PC, you can use the following set of procedures, or you can [use the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](#turn-off-with-hardware-readiness-tool).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Device Guard** -&gt; **Turn on Virtualization Based Security**).
1. If you used Group Policy, disable the Group Policy setting that you used to enable Windows Defender Credential Guard (**Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Windows Defender Device Guard** -&gt; **Turn on Virtualization Based Security**).
2. Delete the following registry settings:
- HKEY\_LOCAL\_MACHINE\\System\\CurrentControlSet\\Control\\LSA\LsaCfgFlags
- HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DeviceGuard\\EnableVirtualizationBasedSecurity
@ -150,7 +150,7 @@ If you have to disable Credential Guard on a PC, you can use the following set o
> [!IMPORTANT]
> If you manually remove these registry settings, make sure to delete them all. If you don't remove them all, the device might go into BitLocker recovery.
3. Delete the Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
3. Delete the Windows Defender Credential Guard EFI variables by using bcdedit. From an elevated command prompt, type the following commands:
``` syntax
mountvol X: /s
@ -171,26 +171,26 @@ If you have to disable Credential Guard on a PC, you can use the following set o
```
2. Restart the PC.
3. Accept the prompt to disable Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Credential Guard.
3. Accept the prompt to disable Windows Defender Credential Guard.
4. Alternatively, you can disable the virtualization-based security features to turn off Windows Defender Credential Guard.
> [!NOTE]
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
> The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
For more info on virtualization-based security and Device Guard, see [Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
<span id="turn-off-with-hardware-readiness-tool" />
#### Disable Credential Guard by using the Device Guard and Credential Guard hardware readiness tool
#### Disable Windows Defender Credential Guard by using the Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool
You can also disable Credential Guard by using the [Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
You can also disable Windows Defender Credential Guard by using the [Windows Defender Device Guard and Windows Defender Credential Guard hardware readiness tool](https://www.microsoft.com/download/details.aspx?id=53337).
```
DG_Readiness_Tool_v3.2.ps1 -Disable -AutoReboot
```
#### Disable Credential Guard for a virtual machine
#### Disable Windows Defender Credential Guard for a virtual machine
From the host, you can disable Credential Guard for a virtual machine:
From the host, you can disable Windows Defender Credential Guard for a virtual machine:
``` PowerShell
Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true

32
windows/access-protection/credential-guard/credential-guard-not-protected-scenarios.md
View File

@ -1,6 +1,6 @@
---
title: Credential Guard protection limits (Windows 10)
description: Scenarios not protected by Credential Guard in Windows 10.
title: Windows Defender Credential Guard protection limits (Windows 10)
description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,38 +9,38 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Credential Guard protection limits
# Windows Defender Credential Guard protection limits
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Credential Guard video series.
Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Windows Defender Credential Guard video series.
Some ways to store credentials are not protected by Credential Guard, including:
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## Additional mitigations
Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
Windows Defender Credential Guard can provide mitigations against attacks on derived credentials and prevent the use of stolen credentials elsewhere. However, PCs can still be vulnerable to certain attacks, even if the derived credentials are protected by Windows Defender Credential Guard. These attacks can include abusing privileges and use of derived credentials directly from a compromised device, reusing previously stolen credentials prior to Windows Defender Device Guard, and abuse of management tools and weak application configurations. Because of this, additional mitigations also must be deployed to make the domain environment more robust.
### Restricting domain users to specific domain-joined devices
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
Credential theft attacks allow the attacker to steal secrets from one device and use them from another device. If a user can sign on to multiple devices then any device could be used to steal credentials. How do you ensure that users only sign on using devices that have Windows Defender Credential Guard enabled? By deploying authentication policies that restrict them to specific domain-joined devices that have been configured with Windows Defender Credential Guard. For the domain controller to know what device a user is signing on from, Kerberos armoring must be used.
#### Kerberos armoring
@ -50,11 +50,11 @@ Kerberos armoring is part of RFC 6113. When a device supports Kerberos armoring,
- Users need to be in domains that are running Windows Server 2012 R2 or higher
- All the domain controllers in these domains must be configured to support Kerberos armoring. Set the **KDC support for claims, compound authentication, and Kerberos armoring** Group Policy setting to either **Supported** or **Always provide claims**.
- All the devices with Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
- All the devices with Windows Defender Credential Guard that the users will be restricted to must be configured to support Kerberos armoring. Enable the **Kerberos client support for claims, compound authentication and Kerberos armoring** Group Policy settings under **Computer Configuration** -&gt; **Administrative Templates** -&gt; **System** -&gt; **Kerberos**.
#### Protecting domain-joined device secrets
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Since domain-joined devices also use shared secrets for authentication, attackers can steal those secrets as well. By deploying device certificates with Windows Defender Credential Guard, the private key can be protected. Then authentication policies can require that users sign on devices that authenticate using those certificates. This prevents shared secrets stolen from the device to be used with stolen user credentials to sign on as the user.
Domain-joined device certificate authentication has the following requirements:
- Devices' accounts are in Windows Server 2012 domain functional level or higher.
@ -84,7 +84,7 @@ For example, let's say you wanted to use the High Assurance policy only on these
8. Under **Issuance Policies**, click**High Assurance**.
9. On the **Subject name** tab, clear the **DNS name** check box, and then select the **User Principal Name (UPN)** check box.
Then on the devices that are running Credential Guard, enroll the devices using the certificate you just created.
Then on the devices that are running Windows Defender Credential Guard, enroll the devices using the certificate you just created.
**Enrolling devices in a certificate**
@ -636,6 +636,6 @@ write-host $tmp -Foreground Red
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

22
windows/access-protection/credential-guard/credential-guard-protection-limits.md
View File

@ -1,6 +1,6 @@
---
title: Credential Guard protection limits (Windows 10)
description: Scenarios not protected by Credential Guard in Windows 10.
title: Windows Defender Credential Guard protection limits (Windows 10)
description: Scenarios not protected by Windows Defender Credential Guard in Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,33 +9,33 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Credential Guard protection limits
# Windows Defender Credential Guard protection limits
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Credential Guard video series.
Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
in the Deep Dive into Windows Defender Credential Guard video series.
Some ways to store credentials are not protected by Credential Guard, including:
Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
- Software that manages credentials outside of Windows feature protection
- Local accounts and Microsoft Accounts
- Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Windows Defender Credential Guard does not protect the Active Directory database running on Windows Server 2016 domain controllers. It also does not protect credential input pipelines, such as Windows Server 2016 servers running Remote Desktop Gateway. If you're using a Windows Server 2016 server as a client PC, it will get the same protection as it would when running Windows 10 Enterprise.
- Key loggers
- Physical attacks
- Does not prevent an attacker with malware on the PC from using the privileges associated with any credential. We recommend using dedicated PCs for high value accounts, such as IT Pros and users with access to high value assets in your organization.
- Third-party security packages
- Digest and CredSSP credentials
- When Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- When Windows Defender Credential Guard is enabled, neither Digest nor CredSSP have access to users' logon credentials. This implies no Single Sign-On use for these protocols.
- Supplied credentials for NTLM authentication are not protected. If a user is prompted for and enters credentials for NTLM authentication, these credentials are vulnerable to be read from LSASS memory. Note that these same credentials are vulnerable to key loggers as well.-
- When Credential Guard is deployed on a VM, Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- When Windows Defender Credential Guard is deployed on a VM, Windows Defender Credential Guard protects secrets from attacks inside the VM. However, it does not provide additional protection from privileged system attacks originating from the host.
- Windows logon cached password verifiers (commonly called "cached credentials")
do not qualify as credentials because they cannot be presented to another computer for authentication, and can only be used locally to verify credentials. They are stored in the registry on the local computer and provide validation for credentials when a domain-joined computer cannot connect to AD DS during user logon. These “cached logons”, or more specifically, cached domain account information, can be managed using the security policy setting **Interactive logon: Number of previous logons to cache** if a domain controller is not available.
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Protecting privileged users with Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)

40
windows/access-protection/credential-guard/credential-guard-requirements.md
View File

@ -1,6 +1,6 @@
---
title: Credential Guard Requirements (Windows 10)
description: Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
title: Windows Defender Credential Guard Requirements (Windows 10)
description: Windows Defender Credential Guard baseline hardware, firmware, and software requirements, and additional protections for improved security associated with available hardware and firmware options.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,22 +9,22 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Credential Guard: Requirements
# Windows Defender Credential Guard: Requirements
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See
[Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Credential Guard video series.
[Windows Defender Credential Guard Deployment](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=sRcyvLJyC_3304300474)
in the Deep Dive into Windows Defender Credential Guard video series.
For Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
For Windows Defender Credential Guard to provide protections, the computers you are protecting must meet certain baseline hardware, firmware, and software requirements which we will refer to as [Hardware and software requirements](#hardware-and-software-requirements). Additionally, Windows Defender Credential Guard blocks specific authentication capabilities, so applications that require such capabilities will break. We will refer to this as [Application requirements](#application-requirements). Beyond that, computers can meet additional hardware and firmware qualifications, and receive additional protections. Those computers will be more hardened against certain threats. For detailed information on baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017, refer to the tables in [Security Considerations](#security-considerations).
## Hardware and software requirements
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Credential Guard uses:
To provide basic protections against OS level attempts to read Credential Manager domain credentials, NTLM and Kerberos derived credentials, Windows Defender Credential Guard uses:
- Support for Virtualization-based security (required)
- Secure boot (required)
- TPM 2.0 either discrete or firmware (preferred - provides binding to hardware)
@ -35,29 +35,29 @@ The Virtualization-based security requires:
- CPU virtualization extensions plus extended page tables
- Windows hypervisor
### Credential Guard deployment in virtual machines
### Windows Defender Credential Guard deployment in virtual machines
Credential Guard can protect secrets in a Hyper-V virtual machine, just as it would on a physical machine. When Credential Guard is deployed on a VM, secrets are protected from attacks inside the VM. Credential Guard does not provide additional protection from privileged system attacks originating from the host.
#### Requirements for running Credential Guard in Hyper-V virtual machines
#### Requirements for running Windows Defender Credential Guard in Hyper-V virtual machines
- The Hyper-V host must have an IOMMU, and run at least Windows Server 2016 or Windows 10 version 1607.
- The Hyper-V virtual machine must be Generation 2, have an enabled virtual TPM, and be running at least Windows Server 2016 or Windows 10.
For information about other host platforms, see [Enabling Windows Server 2016 and Hyper-V virtualization based security features on other platforms](https://blogs.technet.microsoft.com/windowsserver/2016/09/29/enabling-windows-server-2016-and-hyper-v-virtualization-based-security-features-on-other-platforms/)
For information about Remote Credential Guard hardware and software requirements, see [Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
For information about Windows Defender Remote Credential Guard hardware and software requirements, see [Windows Defender Remote Credential Guard requirements](https://docs.microsoft.com/en-us/windows/access-protection/remote-credential-guard#hardware-and-software-requirements)
## Application requirements
When Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
When Windows Defender Credential Guard is enabled, specific authentication capabilities are blocked, so applications that require such capabilities will break. Applications should be tested prior to deployment to ensure compatiblity with the reduced functionality.
>[!WARNING]
> Enabling Credential Guard on domain controllers is not supported. <br>
> The domain controller hosts authentication services which integrate with processes isolated when Credential Guard is enabled, causing crashes.
> Enabling Windows Defender Credential Guard on domain controllers is not supported. <br>
> The domain controller hosts authentication services which integrate with processes isolated when Windows Defender Credential Guard is enabled, causing crashes.
>[!NOTE]
> Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
> Windows Defender Credential Guard does not provide protections for the Active Directory database or the Security Accounts Manager (SAM). The credentials protected by Kerberos and NTLM when Windows Defender Credential Guard is enabled are also in the Active Directory database (on domain controllers) and the SAM (for local accounts).
Applications will break if they require:
- Kerberos DES encryption support
@ -70,20 +70,20 @@ Applications will prompt and expose credentials to risk if they require:
- Credential delegation
- MS-CHAPv2
Applications may cause performance issues when they attempt to hook the isolated Credential Guard process.
Applications may cause performance issues when they attempt to hook the isolated Windows Defender Credential Guard process.
See this video: [Credentials Protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
See this video: [Credentials Protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
## Security considerations
All computers that meet baseline protections for hardware, firmware, and software can use Credential Guard.
All computers that meet baseline protections for hardware, firmware, and software can use Windows Defender Credential Guard.
Computers that meet additional qualifications can provide additional protections to further reduce the attack surface.
The following tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new shipping computers. <br>
> If you are an OEM, see [PC OEM requirements for Device Guard and Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
> If you are an OEM, see [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).<br>
### Baseline protections
@ -94,10 +94,10 @@ The following tables describe baseline protections, plus protections for improve
| Hardware: **Trusted Platform Module (TPM)** |  **Requirement**: TPM 1.2 or TPM 2.0, either discrete or firmware.<br>[TPM recommendations](https://technet.microsoft.com/itpro/windows/keep-secure/tpm-recommendations) | A TPM provides protection for VBS encryption keys that are stored in the firmware. This helps protect against attacks involving a physically present user with BIOS access. |
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | **Requirements**: See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot)| UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | **Requirements**: UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot).| UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Credential Guard. Only Device Guard is supported in this configuration.</p></blockquote> |Support for VBS and for management features that simplify configuration of Credential Guard. |
| Software: Qualified **Windows operating system** | **Requirement**: Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only Windows Defender Device Guard is supported in this configuration.</p></blockquote> |Support for VBS and for management features that simplify configuration of Windows Defender Credential Guard. |
> [!IMPORTANT]
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Credential Guard can provide.
> The following tables list additional qualifications for improved security. We strongly recommend meeting the additional qualifications to significantly strengthen the level of security that Windows Defender Credential Guard can provide.
### 2015 Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016 Technical Preview 4

6
windows/access-protection/credential-guard/credential-guard-scripts.md
View File

@ -1,6 +1,6 @@
---
title: Scripts for Certificate Issuance Policies in Credential Guard (Windows 10)
description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Credential Guard on Windows 10.
title: Scripts for Certificate Issuance Policies in Windows Defender Credential Guard (Windows 10)
description: Scripts listed in this topic for obtaining the available issuance policies on the certificate authority for Windows Defender Credential Guard on Windows 10.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
@ -9,7 +9,7 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Credential Guard: Scripts for Certificate Authority Issuance Policies
# Windows Defender Credential Guard: Scripts for Certificate Authority Issuance Policies
Here is a list of scripts mentioned in this topic.

20
windows/access-protection/credential-guard/credential-guard.md
View File

@ -1,6 +1,6 @@
---
title: Protect derived domain credentials with Credential Guard (Windows 10)
description: Introduced in Windows 10 Enterprise, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
title: Protect derived domain credentials with Windows Defender Credential Guard (Windows 10)
description: Introduced in Windows 10 Enterprise, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
ms.assetid: 4F1FE390-A166-4A24-8530-EA3369FEB4B1
ms.prod: w10
ms.mktglfcycl: explore
@ -10,21 +10,21 @@ ms.localizationpriority: high
author: brianlic-msft
---
# Protect derived domain credentials with Credential Guard
# Protect derived domain credentials with Windows Defender Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Credential Guard video series.
Prefer video? See [Credential Theft and Lateral Traversal](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=cfGBPlIyC_9404300474) in the Deep Dive into Windows Defender Credential Guard video series.
Introduced in Windows 10 Enterprise and Windows Server 2016, Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
Introduced in Windows 10 Enterprise and Windows Server 2016, Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials.
By enabling Credential Guard, the following features and solutions are provided:
By enabling Windows Defender Credential Guard, the following features and solutions are provided:
- **Hardware security** NTLM, Kerberos, and Credential Manager take advantage of platform security features, including Secure Boot and virtualization, to protect credentials.
- **Virtualization-based security** Windows NTLM and Kerberos derived credentials and other secrets run in a protected environment that is isolated from the running operating system.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Device Guard and other security strategies and architectures.
- **Better protection against advanced persistent threats** When Credential Manager domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based security, the credential theft attack techniques and tools used in many targeted attacks are blocked. Malware running in the operating system with administrative privileges cannot extract secrets that are protected by virtualization-based security. While Windows Defender Credential Guard is a powerful mitigation, persistent threat attacks will likely shift to new attack techniques and you should also incorporate Windows Defender Device Guard and other security strategies and architectures.
 
## Related topics
@ -33,7 +33,7 @@ By enabling Credential Guard, the following features and solutions are provided:
- [Isolated User Mode Processes and Features in Windows 10 with Logan Gabriel (Channel 9)](http://channel9.msdn.com/Blogs/Seth-Juarez/Isolated-User-Mode-Processes-and-Features-in-Windows-10-with-Logan-Gabriel)
- [More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/More-on-Processes-and-Features-in-Windows-10-Isolated-User-Mode-with-Dave-Probert)
- [Mitigating Credential Theft using the Windows 10 Isolated User Mode (Channel 9)](https://channel9.msdn.com/Blogs/Seth-Juarez/Mitigating-Credential-Theft-using-the-Windows-10-Isolated-User-Mode)
- [Protecting network passwords with Windows 10 Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Protecting network passwords with Windows Defender Credential Guard](https://www.microsoft.com/itshowcase/Article/Content/831/Protecting-network-passwords-with-Windows-10-Credential-Guard)
- [Enabling Strict KDC Validation in Windows Kerberos](http://www.microsoft.com/download/details.aspx?id=6382)
- [What's New in Kerberos Authentication for Windows Server 2012](http://technet.microsoft.com/library/hh831747.aspx)
- [Authentication Mechanism Assurance for AD DS in Windows Server 2008 R2 Step-by-Step Guide](http://technet.microsoft.com/library/dd378897.aspx)
@ -42,6 +42,6 @@ By enabling Credential Guard, the following features and solutions are provided:
## See also
**Deep Dive into Credential Guard: Related videos**
**Deep Dive into Windows Defender Credential Guard: Related videos**
[Credentials protected by Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
[Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)

62
windows/access-protection/remote-credential-guard.md
View File

@ -1,40 +1,40 @@
---
title: Protect Remote Desktop credentials with Remote Credential Guard (Windows 10)
description: Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
title: Protect Remote Desktop credentials with Windows Defender Remote Credential Guard (Windows 10)
description: Windows Defender Remote Credential Guard helps to secure your Remote Desktop credentials by never sending them to the target device.
ms.prod: w10
ms.mktglfcycl: explore
ms.sitesec: library
ms.pagetype: security
author: brianlic-msft
---
# Protect Remote Desktop credentials with Remote Credential Guard
# Protect Remote Desktop credentials with Windows Defender Remote Credential Guard
**Applies to**
- Windows 10
- Windows Server 2016
Introduced in Windows 10, version 1607, Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
Introduced in Windows 10, version 1607, Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting the Kerberos requests back to the device that's requesting the connection. It also provides single sign on experiences for Remote Desktop sessions. If the target device is compromised, your credentials are not exposed because both credential and credential derivatives are never sent to the target device.
You can use Remote Credential Guard in the following ways:
- Administrator credentials are highly privileged and must be protected. By using Remote Credential Guard to connect, you can be assured that your credentials are not passed over the network to the target device.
- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
- Helpdesk employees in your organization must connect to domain-joined devices that could be compromised. With Windows Defender Remote Credential Guard, the helpdesk employee can use RDP to connect to the target device without compromising their credentials to malware.
## Comparing Remote Credential Guard with a server protected with Credential Guard
## Comparing Windows Defender Remote Credential Guard with a server protected with Credential Guard
Use the following diagrams to help understand how Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
Use the following diagrams to help understand how Windows Defender Remote Credential Guard works, what it helps protect against, and how it compares with using a server protected with Credential Guard. As the diagram shows, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass the Hash, and prevents usage of a credential after disconnection.
![Remote Credential Guard](images/remote-credential-guard.png)
![Windows Defender Remote Credential Guard](images/remote-credential-guard.png)
## Comparing Remote Credential Guard with other options for Remote Desktop connections
## Comparing Windows Defender Remote Credential Guard with other Remote Desktop connection options
Use the following table to compare different security options for Remote Desktop connections.
> [!NOTE]
> This table compares different options than are shown in the previous diagram.
| Remote Desktop | Remote Credential Guard | Restricted Admin mode |
| Remote Desktop | Windows Defender Remote Credential Guard | Restricted Admin mode |
|---|---|---|
| Protection: Provides **less protection** than other modes in this table. | Protection: Provides **moderate protection**, compared to other modes in this table. | Protection: Provides **the most protection** of the modes in this table. However, it also requires you to be in the local “Administrators” group on the remote computer. |
| Version support: The remote computer can be running **any operating system that supports credential delegation**, which was introduced in Windows Vista. | Version support: The remote computer must be running **at least Windows 10, version 1607, or Windows Server 2016**. | Version support: The remote computer must be running **at least patched Windows 7 or patched Windows Server 2008 R2**.<br><br>For more information about patches (software updates) related to Restricted Admin mode, see [Microsoft Security Advisory 2871997](https://technet.microsoft.com/library/security/2871997.aspx). |
@ -47,25 +47,25 @@ Use the following table to compare different security options for Remote Desktop
## Hardware and software requirements
To use Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
To use Windows Defender Remote Credential Guard, the Remote Desktop client and server must meet the following requirements:
- In order to connect using credentials other than signed-in credentials, the Remote Desktop client device must be running at least Windows 10, version 1703.
> [!NOTE]
> Remote Desktop client devices running earlier versions, at minimum Windows 10 version 1607, only support signed-in credentials, so the client device must also be joined to an Active Directory domain. Both Remote Desktop client and server must either be joined to the same domain, or the Remote Desktop server can be joined to a domain that has a trust relationship to the client device's domain.
- For Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- For Windows Defender Remote Credential Guard to be supported, the user must authenticate to the remote host using Kerberos authentication
- The remote host must be running at least Windows 10 version 1607, or Windows Server 2016.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Remote Credential Guard.
- The Remote Desktop classic Windows app is required. The Remote Desktop Universal Windows Platform app doesn't support Windows Defender Remote Credential Guard.
## Enable Remote Credential Guard
## Enable Windows Defender Remote Credential Guard
You must enable Remote Credential Guard on the target device by using the registry.
You must enable Windows Defender Remote Credential Guard on the target device by using the registry.
1. Open Registry Editor.
2. Enable Remote Credential Guard:
2. Enable Windows Defender Remote Credential Guard:
- Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
- Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Remote Credential Guard.
- Add a new DWORD value named **DisableRestrictedAdmin**. Set the value of this registry setting to 0 to turn on Windows Defender Remote Credential Guard.
3. Close Registry Editor.
You can add this by running the following from an elevated command prompt:
@ -74,26 +74,26 @@ You can add this by running the following from an elevated command prompt:
reg add HKLM\SYSTEM\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin /d 0 /t REG_DWORD
```
## Using Remote Credential Guard
## Using Windows Defender Remote Credential Guard
You can use Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.
You can use Windows Defender Remote Credential Guard on the client device by setting a Group Policy or by using a parameter with Remote Desktop Connection.
### Turn on Remote Credential Guard by using Group Policy
### Turn on Windows Defender Remote Credential Guard by using Group Policy
1. From the Group Policy Management Console, go to **Computer Configuration** -> **Administrative Templates** -> **System** -> **Credentials Delegation**.
2. Double-click **Restrict delegation of credentials to remote servers**.
![Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
3. Under **Use the following restricted mode**:
- If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Remote Credential Guard, choose **Prefer Remote Credential Guard**. In this configuration, Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Remote Credential Guard cannot be used.
- If you want to require either [Restricted Admin mode](http://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) or Windows Defender Remote Credential Guard, choose **Prefer Windows Defender Remote Credential Guard**. In this configuration, Windows Defender Remote Credential Guard is preferred, but it will use Restricted Admin mode (if supported) when Windows Defender Remote Credential Guard cannot be used.
> **Note:** Neither Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
> **Note:** Neither Windows Defender Remote Credential Guard nor Restricted Admin mode will send credentials in clear text to the Remote Desktop server.
- If you want to require Remote Credential Guard, choose **Require Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
- If you want to require Windows Defender Remote Credential Guard, choose **Require Windows Defender Remote Credential Guard**. With this setting, a Remote Desktop connection will succeed only if the remote computer meets the [Hardware and software requirements](#hardware-and-software-requirements) listed earlier in this topic.
- If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
- If you want to require Restricted Admin mode, choose **Require Restricted Admin**. For information about Restricted Admin mode, see the table in [Comparing Windows Defender Remote Credential Guard with other options for Remote Desktop connections](#comparing-remote-credential-guard-with-other-options-for-remote-desktop-connections), earlier in this topic.
4. Click **OK**.
@ -102,26 +102,26 @@ You can use Remote Credential Guard on the client device by setting a Group Poli
6. From a command prompt, run **gpupdate.exe /force** to ensure that the Group Policy object is applied.
### Use Remote Credential Guard with a parameter to Remote Desktop Connection
### Use Windows Defender Remote Credential Guard with a parameter to Remote Desktop Connection
If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Remote Credential Guard for that connection.
If you don't use Group Policy in your organization, you can add the remoteGuard parameter when you start Remote Desktop Connection to turn on Windows Defender Remote Credential Guard for that connection.
```
mstsc.exe /remoteGuard
```
## Considerations when using Remote Credential Guard
## Considerations when using Windows Defender Remote Credential Guard
- Remote Credential Guard does not include device claims. For example, if youre trying to access a file server from the remote and the file server requires device claim, access will be denied.
- Windows Defender Remote Credential Guard does not include device claims. For example, if youre trying to access a file server from the remote and the file server requires device claim, access will be denied.
- Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
- Windows Defender Remote Credential Guard cannot be used to connect to a device that is joined to Azure Active Directory.
- Remote Desktop Credential Guard only works with the RDP protocol.
- No credentials are sent to the target device, but the target device still acquires the Kerberos Service Tickets on its own.
- Remote Desktop Gateway is not compatible with Remote Credential Guard.
- Remote Desktop Gateway is not compatible with Windows Defender Remote Credential Guard.
- You cannot use saved credentials or credentials that are different than yours. You must use the credentials of the user who is logged into the device.

12
windows/access-protection/windows-firewall/basic-firewall-policy-design.md
View File

@ -35,15 +35,15 @@ Many network administrators do not want to tackle the difficult task of determin
With few exceptions, the firewall can be enabled on all configurations. Therefore, we recommended that you enable the firewall on every device in your organization. This includes servers in your perimeter network, on mobile and remote clients that connect to the network, and on all servers and clients in your internal network.
>**Caution:**  Stopping the service associated with Windows Firewall with Advanced Security is not supported by Microsoft.
>**Caution:**  Stopping the service associated with Windows Defender Firewall with Advanced Security is not supported by Microsoft.
By default, in new installations, Windows Firewall is turned on in Windows Server 2012, Windows 8, and later.
By default, in new installations, Windows Defender Firewall with Advanced Security is turned on in Windows Server 2012, Windows 8, and later.
If you turn off the Windows Firewall with Advanced Security service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
If you turn off the Windows Defender Firewall service you lose other benefits provided by the service, such as the ability to use IPsec connection security rules, Windows Service Hardening, and network protection from forms of attacks that use network fingerprinting.
Compatible third-party firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
Compatible third-party firewall software can programmatically disable only the parts of Windows Defender Firewall that might need to be disabled for compatibility. This is the recommended approach for third-party firewalls to coexist with the Windows Defender Firewall; third-party party firewalls that comply with this recommendation have the certified logo from Microsoft. 
An organization typically uses this design as a first step toward a more comprehensive Windows Firewall with Advanced Security design that adds server isolation and domain isolation.
An organization typically uses this design as a first step toward a more comprehensive Windows Defender Firewall design that adds server isolation and domain isolation.
After implementing this design, you will have centralized management of the firewall rules applied to all devices that are running Windows in your organization.
@ -57,7 +57,7 @@ For more information about this design:
- To learn more about this design, see [Firewall Policy Design Example](firewall-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md).

2
windows/access-protection/windows-firewall/certificate-based-isolation-policy-design-example.md
View File

@ -49,4 +49,4 @@ By using the Active Directory Users and Computers snap-in, Woodgrove Bank create
Woodgrove Bank then created a GPO that contains the certificate, and then attached security group filters to the GPO that allow read and apply permissions to only members of the NAG\_COMPUTER\_WGBUNIX group. The GPO places the certificate in the **Local Computer / Personal / Certificates** certificate store. The certificate used must chain back to a certificate that is in the **Trusted Root Certification Authorities** store on the local device.
**Next: **[Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
**Next: **[Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)

4
windows/access-protection/windows-firewall/certificate-based-isolation-policy-design.md
View File

@ -31,10 +31,10 @@ For more info about this design:
- To learn more about this design, see [Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Certificate-based Authentication](planning-certificate-based-authentication.md).
- For a list of tasks that you can use to deploy your certificate-based policy design, see [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md).
**Next: **[Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
**Next: **[Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)

4
windows/access-protection/windows-firewall/change-rules-from-request-to-require-mode.md
View File

@ -29,9 +29,9 @@ In this topic:
## To convert a rule from request to require mode
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
2. In the right navigation pane, click **Connection Security Rules**.
3. In the details pane, double-click the connection security rule that you want to modify.

6
windows/access-protection/windows-firewall/checklist-configuring-basic-firewall-settings.md
View File

@ -21,6 +21,6 @@ This checklist includes tasks for configuring a GPO with firewall defaults and s
| Task | Reference |
| - | - |
| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
| Configure the firewall to record a log file. | [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)|
| Turn the firewall on and set the default inbound and outbound behavior.| [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)|
| Configure the firewall to not display notifications to the user when a program is blocked, and to ignore locally defined firewall and connection security rules. | [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md) |
| Configure the firewall to record a log file. | [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)|

6
windows/access-protection/windows-firewall/checklist-creating-group-policy-objects.md
View File

@ -25,7 +25,7 @@ For most GPO deployment tasks, you must determine which devices must receive and
## About exclusion groups
A Windows Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
A Windows Defender Firewall with Advanced Security design must often take into account domain-joined devices on the network that cannot or must not apply the rules and settings in the GPOs. Because these devices are typically fewer in number than the devices that must apply the GPO, it is easier to use the Domain Members group in the GPO membership group, and then place these exception devices into an exclusion group that is denied Apply Group Policy permissions on the GPO. Because deny permissions take precedence over allow permissions, a device that is a member of both the membership group and the exception group is prevented from applying the GPO. Devices typically found in a GPO exclusion group for domain isolation include the domain controllers, DHCP servers, and DNS servers.
You can also use a membership group for one zone as an exclusion group for another zone. For example, devices in the boundary and encryption zones are technically in the main domain isolation zone, but must apply only the GPO for their assigned role. To do this, the GPOs for the main isolation zone deny Apply Group Policy permissions to members of the boundary and encryption zones.
@ -33,11 +33,11 @@ You can also use a membership group for one zone as an exclusion group for anoth
| Task | Reference |
| - | - |
| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
| Review important concepts and examples for deploying GPOs in a way that best meets the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md)|
| Create the membership group in AD DS that will be used to contain device accounts that must receive the GPO.<br/>If some devices in the membership group are running an operating system that does not support WMI filters, such as Windows 2000, create an exclusion group to contain the device accounts for the devices that cannot be blocked by using a WMI filter.| [Create a Group Account in Active Directory](create-a-group-account-in-active-directory.md)|
| Create a GPO for each version of Windows that has different implementation requirements.| [Create a Group Policy Object](create-a-group-policy-object.md) |
| Create security group filters to limit the GPO to only devices that are members of the membership group and to exclude devices that are members of the exclusion group.|[Assign Security Group Filters to the GPO](assign-security-group-filters-to-the-gpo.md) |
| Create WMI filters to limit each GPO to only the devices that match the criteria in the filter.| [Create WMI Filters for the GPO](create-wmi-filters-for-the-gpo.md) |
| If you are working on a GPO that was copied from another, modify the group memberships and WMI filters so that they are correct for the new zone or version of Windows for which this GPO is intended.|[Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md) |
| Link the GPO to the domain level of the Active Directory organizational unit hierarchy.| [Link the GPO to the Domain](link-the-gpo-to-the-domain.md) |
| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |
| Before adding any rules or configuring the GPO, add a few test devices to the membership group, and make sure that the correct GPO is received and applied to each member of the group.| [Add Test Devices to the Membership Group for a Zone](add-test-devices-to-the-membership-group-for-a-zone.md) |

4
windows/access-protection/windows-firewall/checklist-implementing-a-basic-firewall-policy-design.md
View File

@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
The procedures in this section use the Group Policy MMC snap-in interfaces to configure the GPOs, but you can also use Windows PowerShell. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
 **Checklist: Implementing a basic firewall policy design**
| Task | Reference |
| - | - |
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
| Review important concepts and examples for the basic firewall policy design to determine if this design meets the needs of your organization. | [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Basic Firewall Policy Design](basic-firewall-policy-design.md)<br/>[Firewall Policy Design Example](firewall-policy-design-example.md)<br/>[Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md)|
| Create the membership group and a GPO for each set of devices that require different firewall rules. Where GPOs will be similar, such as for Windows 10 and Windows Server 2016, create one GPO, configure it by using the tasks in this checklist, and then make a copy of the GPO for the other version of Windows. For example, create and configure the GPO for Windows 10, make a copy of it for Windows Server 2016, and then follow the steps in this checklist to make the few required changes to the copy. | [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md)<br/>[Copy a GPO to Create a New GPO](copy-a-gpo-to-create-a-new-gpo.md)|
| If you are working on a GPO that was copied from another, modify the group membership and WMI filters so that they are correct for the devices for which this GPO is intended.| [Modify GPO Filters to Apply to a Different Zone or Version of Windows](modify-gpo-filters-to-apply-to-a-different-zone-or-version-of-windows.md)|
| Configure the GPO with firewall default settings appropriate for your design.| [Checklist: Configuring Basic Firewall Settings](checklist-configuring-basic-firewall-settings.md)|

2
windows/access-protection/windows-firewall/checklist-implementing-a-certificate-based-isolation-policy-design.md
View File

@ -23,7 +23,7 @@ This parent checklist includes cross-reference links to important concepts about
| Task | Reference |
| - | - |
| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Review important concepts and examples for certificate-based authentication to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)<br/>[Certificate-based Isolation Policy Design Example](certificate-based-isolation-policy-design-example.md)<br/>[Planning Certificate-based Authentication](planning-certificate-based-authentication.md) |
| Install the Active Directory Certificate Services (AD CS) role as an enterprise root issuing certification authority (CA). This step is required only if you have not already deployed a CA on your network.| |
| Configure the certificate template for workstation authentication certificates.| [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)|
| Configure Group Policy to automatically deploy certificates based on your template to workstation devices. | [Configure Group Policy to Autoenroll and Deploy Certificates](configure-group-policy-to-autoenroll-and-deploy-certificates.md)|

4
windows/access-protection/windows-firewall/checklist-implementing-a-domain-isolation-policy-design.md
View File

@ -19,13 +19,13 @@ This parent checklist includes cross-reference links to important concepts about
>**Note:**  Complete the tasks in this checklist in order. When a reference link takes you to a procedure, return to this topic after you complete the steps in that procedure so that you can proceed with the remaining tasks in this checklist.
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
The procedures in this section use the Group Policy MMC snap-ins to configure the GPOs, but you can also use Windows PowerShell to configure GPOs. For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md).
**Checklist: Implementing a domain isolation policy design**
| Task | Reference |
| - | - |
| Review important concepts and examples for the domain isolation policy design, determine your Windows Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Review important concepts and examples for the domain isolation policy design, determine your Windows Defender Firewall with Advanced Security deployment goals, and customize this design to meet the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Domain Isolation Policy Design](domain-isolation-policy-design.md)<br/>[Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)<br/>[Planning Domain Isolation Zones](planning-domain-isolation-zones.md) |
| Create the GPOs and connection security rules for the isolated domain.| [Checklist: Configuring Rules for the Isolated Domain](checklist-configuring-rules-for-the-isolated-domain.md)|
| Create the GPOs and connection security rules for the boundary zone.| [Checklist: Configuring Rules for the Boundary Zone](checklist-configuring-rules-for-the-boundary-zone.md)|
| Create the GPOs and connection security rules for the encryption zone.| [Checklist: Configuring Rules for the Encryption Zone](checklist-configuring-rules-for-the-encryption-zone.md)|

2
windows/access-protection/windows-firewall/checklist-implementing-a-standalone-server-isolation-policy-design.md
View File

@ -25,7 +25,7 @@ This parent checklist includes cross-reference links to important concepts about
| Task | Reference |
| - | - |
| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Review important concepts and examples for the server isolation policy design to determine if this design meets your deployment goals and the needs of your organization.| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)<br/>[Server Isolation Policy Design](server-isolation-policy-design.md)<br/>[Server Isolation Policy Design Example](server-isolation-policy-design-example.md)<br/>[Planning Server Isolation Zones](planning-server-isolation-zones.md) |
| Create the GPOs and connection security rules for isolated servers.| [Checklist: Configuring Rules for Servers in a Standalone Isolated Server Zone](checklist-configuring-rules-for-servers-in-a-standalone-isolated-server-zone.md)|
| Create the GPOs and connection security rules for the client devices that must connect to the isolated servers. | [Checklist: Creating Rules for Clients of a Standalone Isolated Server Zone](checklist-creating-rules-for-clients-of-a-standalone-isolated-server-zone.md)|
| Verify that the connection security rules are protecting network traffic on your test devices. | [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)|

6
windows/access-protection/windows-firewall/configure-authentication-methods.md
View File

@ -26,15 +26,15 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure authentication methods**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.
4. In the **Authentication Method** section, select the type of authentication that you want to use from among the following:
1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Firewall with Advanced Security or by Group Policy as the default.
1. **Default**. Selecting this option tells the computer to use the authentication method currently defined by the local administrator in Windows Defender Firewall or by Group Policy as the default.
2. **Computer and User (using Kerberos V5)**. Selecting this option tells the computer to use and require authentication of both the computer and the currently logged-on user by using their domain credentials.

4
windows/access-protection/windows-firewall/configure-data-protection-quick-mode-settings.md
View File

@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure quick mode settings**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.

4
windows/access-protection/windows-firewall/configure-key-exchange-main-mode-settings.md
View File

@ -23,9 +23,9 @@ To complete these procedures, you must be a member of the Domain Administrators
**To configure key exchange settings**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane on the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
2. In the details pane on the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec Settings** tab, click **Customize**.

10
windows/access-protection/windows-firewall/configure-the-rules-to-require-encryption.md
View File

@ -19,7 +19,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
**To modify an authentication request rule to also require encryption**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.
@ -27,7 +27,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
4. On the **Name** page, rename the connection security rule, edit the description to reflect the new use for the rule, and then click **OK**.
5. In the navigation pane, right-click **Windows Firewall with Advanced Security LDAP://CN={***guid***}**, and then click **Properties**.
5. In the navigation pane, right-click **Windows Defender Firewall LDAP://CN={***guid***}**, and then click **Properties**.
6. Click the **IPsec Settings** tab.
@ -42,11 +42,11 @@ To complete this procedure, you must be a member of the Domain Administrators gr
10. If you need to add an algorithm combination, click **Add**, and then select the combination of encryption and integrity algorithms. The options are described in [Configure Data Protection (Quick Mode) Settings](configure-data-protection-quick-mode-settings.md).
**Note**  
Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Not all of the algorithms available in Windows 8 or Windows Server 2012 and later can be selected in the Windows Defender Firewall with Advanced Security user interface. To select them, you can use Windows PowerShell.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Firewall with Advanced Security user interface. Instead, you can create or modify the rules by using Windows PowerShell.
Quick mode settings can also be configured on a per-rule basis, but not by using the Windows Defender Firewall user interface. Instead, you can create or modify the rules by using Windows PowerShell.
For more info, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
For more info, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md)
11. During negotiation, algorithm combinations are proposed in the order shown in the list. Make sure that the more secure combinations are at the top of the list so that the negotiating devices select the most secure combination that they can jointly support.

22
windows/access-protection/windows-firewall/configure-the-windows-firewall-log.md
View File

@ -1,6 +1,6 @@
---
title: Configure the Windows Firewall Log (Windows 10)
description: Configure the Windows Firewall Log
title: Configure the Windows Defender Firewall Log (Windows 10)
description: Configure the Windows Defender Firewall Log
ms.assetid: f037113d-506b-44d3-b9c0-0b79d03e7d18
ms.prod: w10
ms.mktglfcycl: deploy
@ -10,13 +10,13 @@ ms.pagetype: security
author: brianlic-msft
---
# Configure the Windows Firewall Log
# Configure the Windows Defender Firewall with Advanced Security Log
**Applies to**
- Windows 10
- Windows Server 2016
To configure Windows Firewall to log dropped packets or successful connections, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
To configure Windows Defender Firewall with Advanced Security to log dropped packets or successful connections, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in.
**Administrative credentials**
@ -24,13 +24,13 @@ To complete these procedures, you must be a member of the Domain Administrators
In this topic:
- [To configure the Windows Firewall log](#to-configure-the-windows-firewall-log)
- [To configure the Windows Defender Firewall with Advanced Security log](#to-configure-the-windows-firewall-log)
## To configure the Windows Firewall log
## To configure the Windows Defender Firewall with Advanced Security log
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.
@ -40,14 +40,14 @@ In this topic:
3. The default path for the log is **%windir%\\system32\\logfiles\\firewall\\pfirewall.log**. If you want to change this, clear the **Not configured** check box and type the path to the new location, or click **Browse** to select a file location.
>**Important:**  The location you specify must have permissions assigned that permit the Windows Firewall service to write to the log file.
>**Important:**  The location you specify must have permissions assigned that permit the Windows Defender Firewall service to write to the log file.
4. The default maximum file size for the log is 4,096 kilobytes (KB). If you want to change this, clear the **Not configured** check box, and type in the new size in KB, or use the up and down arrows to select a size. The file will not grow beyond this size; when the limit is reached, old log entries are deleted to make room for the newly created ones.
5. No logging occurs until you set one of following two options:
- To create a log entry when Windows Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
- To create a log entry when Windows Defender Firewall drops an incoming network packet, change **Log dropped packets** to **Yes**.
- To create a log entry when Windows Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
- To create a log entry when Windows Defender Firewall allows an inbound connection, change **Log successful connections** to **Yes**.
6. Click **OK** twice.

14
windows/access-protection/windows-firewall/configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md
View File

@ -1,6 +1,6 @@
---
title: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked (Windows 10)
description: Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
title: Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program is Blocked (Windows 10)
description: Configure Windows Defender Firewall with Advanced Security to suppress notifications when a program is Bbocked
ms.assetid: b7665d1d-f4d2-4b5a-befc-8b6bd940f69b
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,13 +9,13 @@ ms.pagetype: security
author: brianlic-msft
---
# Configure Windows Firewall to Suppress Notifications When a Program Is Blocked
# Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked
**Applies to**
- Windows 10
- Windows Server 2016
To configure Windows Firewall to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
To configure Windows Defender Firewall with Advanced Security to suppress the display of a notification when it blocks a program that tries to listen for network traffic and to prohibit locally defined rules, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
>**Caution:**  If you choose to disable alerts and prohibit locally defined rules, then you must create firewall rules that allow your users programs to send and receive the required network traffic. If a firewall rule is missing, then the user does not receive any kind of warning, the network traffic is silently blocked, and the program might fail.
@ -25,11 +25,11 @@ We recommend that you do not enable these settings until you have created and te
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## To configure Windows Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
## To configure Windows Defender Firewall to suppress the display of a notification for a blocked program and to ignore locally defined rules
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.

5
windows/access-protection/windows-firewall/create-an-authentication-exemption-list-rule.md
View File

@ -18,17 +18,16 @@ author: brianlic-msft
In almost any isolated server or isolated domain scenario, there are some devices or devices that cannot communicate by using IPsec. This procedure shows you how to create rules that exempt those devices from the authentication requirements of your isolation policies.
**Important**  
Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
Adding devices to the exemption list for a zone reduces security because it permits devices in the zone to send network traffic that is unprotected by IPsec to the devices on the list. As discussed in the Windows Defender Firewall with Advanced Security Design Guide, you must add only managed and trusted devices to the exemption list.
 
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
**To create a rule that exempts specified hosts from authentication**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Connection Security Rules**.

2
windows/access-protection/windows-firewall/create-an-authentication-request-rule.md
View File

@ -23,7 +23,7 @@ To complete this procedure, you must be a member of the Domain Administrators gr
To create the authentication request rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, right-click **Connection Security Rules**, and then click **New Rule**.

4
windows/access-protection/windows-firewall/create-an-inbound-icmp-rule.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
To allow inbound Internet Control Message Protocol (ICMP) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows ICMP requests and responses to be sent and received by computers on the network.
**Administrative credentials**
@ -29,7 +29,7 @@ This topic describes how to create a port rule that allows inbound ICMP network
To create an inbound ICMP rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.

5
windows/access-protection/windows-firewall/create-an-inbound-port-rule.md
View File

@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
To allow inbound network traffic on only a specified TCP or UDP port number, use the Windows Defender Firewall
with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows any program that listens on a specified TCP or UDP port to receive network traffic sent to that port.
**Administrative credentials**
@ -29,7 +30,7 @@ This topic describes how to create a standard port rule for a specified protocol
**To create an inbound port rule**
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security] (open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.

4
windows/access-protection/windows-firewall/create-an-inbound-program-or-service-rule.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
To allow inbound network traffic to a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
To allow inbound network traffic to a specified program or service, use the Windows Defender Firewall with Advanced Securitynode in the Group Policy Management MMC snap-in to create firewall rules. This type of rule allows the program to listen and receive inbound network traffic on any port.
>**Note:**  This type of rule is often combined with a program or service rule. If you combine the rule types, you get a firewall rule that limits traffic to a specified port and allows the traffic only when the specified program is running. The program cannot receive network traffic on other ports, and other programs cannot receive network traffic on the specified port. To combine the program and port rule types into a single rule, follow the steps in the [Create an Inbound Port Rule](create-an-inbound-port-rule.md) procedure in addition to the steps in this procedure.
@ -25,7 +25,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an inbound firewall rule for a program or service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.

6
windows/access-protection/windows-firewall/create-an-outbound-port-rule.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic on a specified TCP or UDP port number, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule blocks any outbound network traffic that matches the specified TCP or UDP port numbers.
**Administrative credentials**
@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an outbound port rule
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.
@ -37,7 +37,7 @@ To create an outbound port rule
6. On the **Protocol and Ports** page, select the protocol type that you want to block. To restrict the rule to a specified port number, you must select either **TCP** or **UDP**. Because this is an outbound rule, you typically configure only the remote port number.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
If you select another protocol, then only packets whose protocol field in the IP header match this rule are blocked by Windows Defender Firewall. Network traffic for protocols is allowed as long as other rules that match do not block it.
To select a protocol by its number, select **Custom** from the list, and then type the number in the **Protocol number** box.

4
windows/access-protection/windows-firewall/create-an-outbound-program-or-service-rule.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
By default, Windows Defender Firewall allows all outbound network traffic unless it matches a rule that prohibits the traffic. To block outbound network traffic for a specified program or service, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create firewall rules. This type of rule prevents the program from sending any outbound network traffic on any port.
**Administrative credentials**
@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To create an outbound firewall rule for a program or service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.

4
windows/access-protection/windows-firewall/create-inbound-rules-to-support-rpc.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
To allow inbound remote procedure call (RPC) network traffic, use the Windows Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
To allow inbound remote procedure call (RPC) network traffic, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console to create two firewall rules. The first rule allows incoming network packets on TCP port 135 to the RPC Endpoint Mapper service. The incoming traffic consists of requests to communicate with a specified network service. The RPC Endpoint Mapper replies with a dynamically-assigned port number that the client must use to communicate with the service. The second rule allows the network traffic that is sent to the dynamically-assigned port number. Using the two rules configured as described in this topic helps to protect your device by allowing network traffic only from devices that have received RPC dynamic port redirection and to only those TCP port numbers assigned by the RPC Endpoint Mapper.
**Administrative credentials**
@ -35,7 +35,7 @@ In this topic:
## To create a rule to allow inbound network traffic to the RPC Endpoint Mapper service
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.

6
windows/access-protection/windows-firewall/designing-a-windows-firewall-with-advanced-security-strategy.md
View File

@ -1,6 +1,6 @@
---
title: Designing a Windows Firewall with Advanced Security Strategy (Windows 10)
description: Designing a Windows Firewall with Advanced Security Strategy
title: Designing a Windows Defender Firewall with Advanced Security Strategy (Windows 10)
description: Designing a Windows Defender Firewall Strategy
ms.assetid: 6d98b184-33d6-43a5-9418-4f24905cfd71
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
# Designing a Windows Firewall with Advanced Security Strategy
# Designing a Windows Defender Firewall with Advanced Security Strategy
**Applies to**
- Windows 10

2
windows/access-protection/windows-firewall/determining-the-trusted-state-of-your-devices.md
View File

@ -136,4 +136,4 @@ With the other information that you have gathered in this section, this informat
The costs identified in this section only capture the projected cost of the device upgrades. Many additional design, support, test, and training costs should be accounted for in the overall project plan.
**Next: **[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
**Next: **[Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)

2
windows/access-protection/windows-firewall/documenting-the-zones.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Firewall with Advanced Security Strategy section. A sample is shown here:
Generally, the task of determining zone membership is not complex, but it can be time-consuming. Use the information generated during the [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) section of this guide to determine the zone in which to put each host. You can document this zone placement by adding a Group column to the inventory table shown in the Designing a Windows Defender Firewall with Advanced Security Strategy section. A sample is shown here:
| Host name | Hardware reqs met | Software reqs met | Configuration required | Details | Projected cost | Group |
| - | - | - | - | - | - |

2
windows/access-protection/windows-firewall/domain-isolation-policy-design.md
View File

@ -55,7 +55,7 @@ For more info about this design:
- To learn more about this design, see the [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md).
- Before completing the design, gather the info described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the info described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Domain Isolation Zones](planning-domain-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).

4
windows/access-protection/windows-firewall/enable-predefined-inbound-rules.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Windows Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
Windows Defender Firewall with Advanced Security includes many predefined rules for common networking roles and functions. When you install a new server role on a device or enable a network feature on a client device, the installer typically enables the rules required for that role instead of creating new ones. When deploying firewall rules to the devices on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To deploy predefined firewall rules that allow inbound network traffic for common network functions
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Inbound Rules**.

4
windows/access-protection/windows-firewall/enable-predefined-outbound-rules.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
By default, Windows Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Firewall with Advanced Security includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
By default, Windows Defender Firewall with Advanced Security allows all outbound network traffic unless it matches a rule that prohibits the traffic. Windows Defender Firewall includes many predefined outbound rules that can be used to block network traffic for common networking roles and functions. When you install a new server role on a computer or enable a network feature on a client computer, the installer can install, but typically does not enable, outbound block rules for that role. When deploying firewall rules to the computers on the network, you can take advantage of these predefined rules instead of creating new ones. Doing this helps to ensure consistency and accuracy, because the rules have been thoroughly tested and are ready for use.
**Administrative credentials**
@ -23,7 +23,7 @@ To complete these procedures, you must be a member of the Domain Administrators
To deploy predefined firewall rules that block outbound network traffic for common network functions
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the navigation pane, click **Outbound Rules**.

10
windows/access-protection/windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
View File

@ -1,6 +1,6 @@
---
title: Evaluating Windows Firewall with Advanced Security Design Examples (Windows 10)
description: Evaluating Windows Firewall with Advanced Security Design Examples
title: Evaluating Windows Defender Firewall with Advanced Security Design Examples (Windows 10)
description: Evaluating Windows Defender Firewall with Advanced Security Design Examples
ms.assetid: a591389b-18fa-4a39-ba07-b6fb61961cbd
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,15 +9,15 @@ ms.pagetype: security
author: brianlic-msft
---
# Evaluating Windows Firewall with Advanced Security Design Examples
# Evaluating Windows Defender Firewall with Advanced Security Design Examples
**Applies to**
- Windows 10
- Windows Server 2016
The following Windows Firewall with Advanced Security design examples illustrate how you can use Windows Firewall with Advanced Security to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Firewall with Advanced Security designs and to determine which design or combination of designs best suits the goals of your organization.
The following Windows Defender Firewall with Advanced Security design examples illustrate how you can use Windows Defender Firewall to improve the security of the devices connected to the network. You can use these topics to evaluate how the firewall and connection security rules work across all Windows Defender Firewall designs and to determine which design or combination of designs best suits the goals of your organization.
- [Firewall Policy Design Example](firewall-policy-design-example.md)
- [Firewall Policy with Advanced Security Design Example](firewall-policy-design-example.md)
- [Domain Isolation Policy Design Example](domain-isolation-policy-design-example.md)

4
windows/access-protection/windows-firewall/exempt-icmp-from-authentication.md
View File

@ -23,8 +23,8 @@ To complete this procedure, you must be a member of the Domain Administrators gr
To exempt ICMP network traffic from authentication
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. On the main Windows Firewall with Advanced Security page, click **Windows Firewall Properties**.
2. On the main Windows Defender Firewall with Advanced Security page, click **Windows Defender Firewall Properties**.
3. On the **IPsec settings** tab, change **Exempt ICMP from IPsec** to **Yes**, and then click **OK**.

12
windows/access-protection/windows-firewall/firewall-policy-design-example.md
View File

@ -25,7 +25,7 @@ A key line-of-business program called WGBank consists of a client program runnin
## Design requirements
The network administrators want to implement Windows Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
The network administrators want to implement Windows Defender Firewall with Advanced Security throughout their organization to provide an additional security layer to their overall security strategy. They want to create firewall rules that allow their business programs to operate, while blocking network traffic that is not wanted.
The following illustration shows the traffic protection needs for this design example.
@ -82,7 +82,7 @@ The following groups were created by using the Active Directory Users and Comput
The two device types (client and server) are distinguished by using a WMI filters to ensure that only the policy intended for devices that are running a client version of Windows can be applied to that computer. A similar WMI filter on the server GPO ensures that only devices that are running server versions of Windows can apply that GPO. Each of the GPOs also have security group filters to prevent members of the group FIREWALL\_NO\_DEFAULT from receiving either of these two GPOs.
- Client devices receive a GPO that configures Windows Firewall with Advanced Security to enforce the default Windows Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
- Client devices receive a GPO that configures Windows Defender Firewall to enforce the default Windows Defender Firewall behavior (allow outbound, block unsolicited inbound). The client default GPO also includes the built-in firewall rule groups Core Networking and File and Printer Sharing. The Core Networking group is enabled for all profiles, whereas the File and Printer Sharing group is enabled for only the Domain and Private profiles. The GPO also includes inbound firewall rules to allow the WGBank front-end server dashboard update traffic, and rules to prevent company-prohibited programs from sending or receiving network traffic, both inbound and outbound.
- Server devices receive a GPO that includes similar firewall configuration to the client computer GPO. The primary difference is that the rules are enabled for all profiles (not just domain and private). Also, the rules for WGBank dashboard update are not included, because it is not needed on server devices.
@ -90,15 +90,15 @@ The following groups were created by using the Active Directory Users and Comput
- **CG\_FIREWALL\_NO\_DEFAULT**. Members of this group do not receive the default firewall GPO. Devices are added to this group if there is a business requirement for it to be exempted from the default firewall behavior. The use of a group to represent the exceptions instead of the group members directly makes it easier to support the dynamic nature of the client computer population. A new computer joined to the domain is automatically given the appropriate default firewall GPO, unless it is a member of this group.
- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WGB\_FE**. This group contains the computer accounts for all the WGBank front-end server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited WGBank client traffic. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WGB\_SQL**. This group contains the computer accounts for all the WGBank back-end devices that run SQL Server. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow the SQL Server program to receive unsolicited queries only from the WGBank front-end servers. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_BOUNDARY\_WGBANKFE**. This group contains the computer accounts for the servers that host Web services that can be accessed from the Internet. Members of this group receive a GPO that adds an inbound firewall rule to allow inbound HTTP and HTTPS network traffic from any address, including the Internet. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_WINS**. This group contains the computer accounts for all the WINS server devices. Members of this group receive a GPO that configures Windows Defender Firewall with an inbound firewall rule to allow unsolicited inbound requests from WINS clients. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Firewall with Advanced Security with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
- **CG\_FIREWALL\_ADDC**. This group contains all the computer accounts for the Active Directory domain controller server devices. Members of this group receive a GPO that configures Windows Defender Firewall with inbound firewall rules to allow unsolicited Active Directory client and server-to-server traffic. Devices in this group also receive the default firewall GPO.
In your own design, create a group for each computer role in your organization that requires different or additional firewall rules. For example, file servers and print servers require additional rules to allow the incoming network traffic for those functions. If a function is ordinarily performed on most devices on the network, you might consider adding devices performing those roles to the common default firewall GPO set, unless there is a security reason not to include it there.

4
windows/access-protection/windows-firewall/gathering-information-about-your-active-directory-deployment.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Firewall with Advanced Security. Review the following list for information needed:
Active Directory is another important item about which you must gather information. You must understand the forest structure. This includes domain layout, organizational unit (OU) architecture, and site topology. This information makes it possible to know where devices are currently placed, their configuration, and the impact of changes to Active Directory that result from implementing Windows Defender Firewall with Advanced Security. Review the following list for information needed:
- **Names and number of forests**. The forest (not the domain) is the security boundary in an Active Directory implementation. You must understand the current Active Directory architecture to determine the most effective strategy for deploying your firewall and connection security rules using Group Policy. It also enables you to understand which devices can be isolated and how best to accomplish the required degree of isolation.
@ -27,6 +27,6 @@ Active Directory is another important item about which you must gather informati
- **OU structure**. OUs are logical constructs and can therefore be molded to fit many different requirements and goals. The OU structure is an ideal place to examine how Group Policy is currently used and how the OUs are laid out. You do not have to redesign an already implemented OU structure in order to effectively deploy firewall and connection security policy, but an understanding of the structure helps you know what WMI or group filtering is required to apply each GPO to the correct devices.
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Firewall with Advanced Security connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
- **Existing IPsec policy**. Because this project culminates in the implementation of IPsec policy, you must understand how the network currently uses IPsec (if at all). Windows Defender Firewall connection security rules for versions of Windows prior to Windows Vista and Windows Server 2008 are not compatible with earlier versions of Windows. If you already have IPsec policies deployed to devices running Windows XP and Windows Server 2003 in your organization, you must ensure that the new IPsec policies you deploy enable devices using either the old or new IPsec policies to communicate with each other.
**Next: **[Gathering Information about Your Devices](gathering-information-about-your-devices.md)

8
windows/access-protection/windows-firewall/gathering-information-about-your-current-network-infrastructure.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Perhaps the most important aspect of planning for Windows Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Firewall with Advanced Security solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
Perhaps the most important aspect of planning for Windows Defender Firewall with Advanced Security deployment is the network architecture, because IPsec is layered on the Internet Protocol itself. An incomplete or inaccurate understanding of the network can prevent any Windows Defender Firewall solution from being successful. Understanding subnet layout, IP addressing schemes, and traffic patterns are part of this effort, but accurately documenting the following components are important to completing the planning phase of this project:
- **Network segmentation**. This includes IP addressing maps, showing how your routers separate each network segment. It includes information about how the routers are configured, and what security filters they impose on network traffic flowing through them.
@ -31,7 +31,7 @@ The goal is to have enough information to be able to identify an asset by its ne
Do not use a complex and poorly documented network as a starting point for the design, because it can leave too many unidentified areas that are likely to cause problems during implementation.
This guidance helps obtain the most relevant information for planning Windows Firewall with Advanced Security implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
This guidance helps obtain the most relevant information for planning Windows Defender Firewall implementation, but it does not try to address other issues, such as TCP/IP addressing or virtual local area network (VLAN) segmentation.
## Network segmentation
@ -100,7 +100,7 @@ When you examine traffic flow, look closely at how all managed and unmanaged dev
- How do servers and clients communicate with each other?
- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
- Are there security devices or projects currently implemented or planned that could affect an isolation deployment? For example, if you use Windows Defender Firewall on your devices to "lock down" specific ports, such as UDP 500, IKE negotiations fail.
Some of the more common applications and protocols are as follows:
@ -108,6 +108,6 @@ Some of the more common applications and protocols are as follows:
- **Remote procedure call (RPC)**. RPC operates by listening on a port known as the *endpoint mapper*, TCP port 135. The response to a query on this port is an instruction to begin communication on another port in the ephemeral range (ports numbered over 1024). In a network that is segmented by firewalls, RPC communication presents a configuration challenge because it means opening the RPC listener port and all ports greater than 1024. Opening so many ports increases the attack surface of the whole network and reduces the effectiveness of the firewalls. Because many applications depend on RPC for basic functionality, any firewall and connection security policy must take RPC requirements into account.
- **Other traffic**. Windows Firewall with Advanced Security can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
- **Other traffic**. Windows Defender Firewall can help secure transmissions between devices by providing authentication of the packets in addition to encrypting the data that they contain. The important thing to do is to identify what must be protected, and the threats that must be mitigated. Examine and model other traffic or traffic types that must be secured.
**Next: **[Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)

2
windows/access-protection/windows-firewall/gathering-information-about-your-devices.md
View File

@ -49,6 +49,6 @@ You can use Windows PowerShell to create a script file that can collect the syst
Whether you use an automatic, manual, or hybrid option to gather the information, one of the biggest issues that can cause problems to the design is capturing the changes between the original inventory scan and the point at which the implementation is ready to start. After the first scan has been completed, make support staff aware that all additional changes must be recorded and the updates noted in the inventory.
This inventory will be critical for planning and implementing your Windows Firewall with Advanced Security design.
This inventory will be critical for planning and implementing your Windows Defender Firewall design.
**Next: **[Gathering Other Relevant Information](gathering-other-relevant-information.md)

4
windows/access-protection/windows-firewall/gathering-other-relevant-information.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Firewall with Advanced Security policies in your organization.
This topic discusses several other things that you should examine to see whether they will cause any complications in your ability to deploy Windows Defender Firewall with Advanced Security policies in your organization.
## Capacity considerations
@ -35,7 +35,7 @@ Because IPsec uses mathematically intensive cryptographic techniques, it can con
## Group Policy deployment groups and WMI filters
You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Firewall with Advanced Security GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
You do not have to rearrange the organization unit (OU) hierarchy of your Active Directory domains to effectively deploy Windows Defender Firewall GPOs. Instead, you can link your GPOs at the domain level (or another high level container), and then use security group filtering or WMI filtering to ensure that only the appropriate devices or users can apply the GPO settings. We recommend that you use WMI filtering to dynamically ensure that GPOs apply only to devices that are running the correct operating system. It is not necessary to use this technique if your network consists of devices.
## Different Active Directory trust environments

2
windows/access-protection/windows-firewall/gathering-the-information-you-need.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
Before starting the planning process for a Windows Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
Review each of the following topics for guidance about the kinds of information that you must gather:

2
windows/access-protection/windows-firewall/gpo-domiso-boundary.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for devices that are not part of the isolated domain to access specific servers that must be available to those untrusted devices. It is intended to only apply to server devices that are running at least Windows Server 2008.

2
windows/access-protection/windows-firewall/gpo-domiso-encryption.md
View File

@ -12,7 +12,7 @@ ms.pagetype: security
# GPO\_DOMISO\_Encryption\_WS2008
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.

5
windows/access-protection/windows-firewall/gpo-domiso-firewall.md
View File

@ -15,7 +15,8 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
This GPO is authored by using the Windows Defender Firewall
with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to devices that are running at least Windows 7 or Windows Server 2008.
## Firewall settings
@ -53,7 +54,7 @@ This GPO provides the following rules:
- Remote Volume Management
- Windows Firewall Remote Management
- Windows Defender Firewall Remote Management
- Windows Management Instrumentation (WMI)

2
windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-clients.md
View File

@ -15,7 +15,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to client devices that are running Windows 8, Windows 7, or Windows Vista.
Because client devices can sometimes be portable, the settings and rules for this GPO are applied to only the domain profile.

4
windows/access-protection/windows-firewall/gpo-domiso-isolateddomain-servers.md
View File

@ -15,9 +15,9 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
This GPO is authored by using the Windows Firewall with Advanced Security interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
This GPO is authored by using the Windows Defender Firewall interface in the Group Policy editing tools. The User Configuration section of the GPO is disabled. It is intended to only apply to server devices that are running at least Windows Server 2008.
Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Firewall with Advanced Security piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
Because so many of the settings and rules for this GPO are common to those in the GPO for at least Windows Vista, you can save time by exporting the Windows Defender Firewall piece of the GPO for at least Windows Vista, and importing it to the GPO for at least Windows Server 2008. After the import, change only the items specified here:
- This GPO applies all its settings to all profiles: Domain, Private, and Public. Because a server is not expected to be mobile and changing networks, configuring the GPO in this way prevents a network failure or the addition of a new network adapter from unintentionally switching the device to the Public profile with a different set of rules (in the case of a server running Windows Server 2008).

55
windows/access-protection/windows-firewall/identifying-your-windows-firewall-with-advanced-security-deployment-goals.md
View File

@ -1,6 +1,6 @@
---
title: Identifying Your Windows Firewall with Advanced Security Deployment Goals (Windows 10)
description: Identifying Your Windows Firewall with Advanced Security Deployment Goals
title: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals (Windows 10)
description: Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
ms.assetid: 598cf45e-2e1c-4947-970f-361dfa264bba
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,52 +9,21 @@ ms.pagetype: security
author: brianlic-msft
---
# Identifying Your Windows Firewall with Advanced Security Deployment Goals
# Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals
**Applies to**
- Windows 10
- Windows Server 2016
Correctly identifying your Windows Firewall with Advanced Security deployment goals is essential for the success of your Windows Firewall with Advanced Security design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Firewall with Advanced Security by using an iterative approach. You can take advantage of the predefined Windows Firewall with Advanced Security deployment goals presented in this guide that are relevant to your scenarios.
Correctly identifying your Windows Defender Firewall with Advanced Security deployment goals is essential for the success of your Windows Defender Firewall design project. Form a project team that can clearly articulate deployment issues in a vision statement. When you write your vision statement, identify, clarify, and refine your deployment goals. Prioritize and, if possible, combine your deployment goals so that you can design and deploy Windows Defender Firewall by using an iterative approach. You can take advantage of the predefined Windows Defender Firewall deployment goals presented in this guide that are relevant to your scenarios.
The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Firewall with Advanced Security deployment goals.
The following table lists the three main tasks for articulating, refining, and subsequently documenting your Windows Defender Firewall deployment goals:
<table>
<colgroup>
<col width="50%" />
<col width="50%" />
</colgroup>
<thead>
<tr class="header">
<th>Deployment goal tasks</th>
<th>Reference links</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>Evaluate predefined Windows Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives.</p></td>
<td><p>Predefined deployment goals:</p>
<ul>
<li><p>[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)</p></li>
<li><p>[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)</p></li>
<li><p>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</p></li>
<li><p>[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)</p></li>
</ul></td>
</tr>
<tr class="even">
<td><p>Map one goal or a combination of the predefined deployment goals to an existing Windows Firewall with Advanced Security design.</p></td>
<td><ul>
<li><p>[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</p></li>
</ul></td>
</tr>
<tr class="odd">
<td><p>Based on the status of your current infrastructure, document your deployment goals for your Windows Firewall with Advanced Security design into a deployment plan.</p></td>
<td><ul>
<li><p>[Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</p></li>
<li><p>[Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)</p></li>
</ul></td>
</tr>
</tbody>
</table>
| Deployment goal tasks | Reference links |
| --- | --- |
| Evaluate predefined Windows Defender Firewall with Advanced Security deployment goals that are provided in this section of the guide, and combine one or more goals to reach your organizational objectives. | Predefined deployment goals: <p><ul><li>[Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)</li><p><li>[Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)</li> <p><li>[Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)</li> <p><li>[Restrict Access to Sensitive Resources to Only Specified Users or Devices](restrict-access-to-only-specified-users-or-devices.md)</li></ul>
| Map one goal or a combination of the predefined deployment goals to an existing Windows Defender Firewall with Advanced Security design. | <ul><li>[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)</li></ul>
| Based on the status of your current infrastructure, document your deployment goals for your Windows Defender Firewall with Advanced Security design into a deployment plan. | <ul><li>[Designing A Windows Defender Firewall Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)</li> <p><li>[Planning Your Windows Defender Firewall Design with Advanced Security](planning-your-windows-firewall-with-advanced-security-design.md)</li></ul>
<br />
**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)
**Next:** [Protect Devices from Unwanted Network Traffic](protect-devices-from-unwanted-network-traffic.md)

16
windows/access-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
View File

@ -1,6 +1,6 @@
---
title: Implementing Your Windows Firewall with Advanced Security Design Plan (Windows 10)
description: Implementing Your Windows Firewall with Advanced Security Design Plan
title: Implementing Your Windows Defender Firewall with Advanced Security Design Plan (Windows 10)
description: Implementing Your Windows Defender Firewall with Advanced Security Design Plan
ms.assetid: 15f609d5-5e4e-4a71-9eff-493a2e3e40f9
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,15 +9,15 @@ ms.pagetype: security
author: brianlic-msft
---
# Implementing Your Windows Firewall with Advanced Security Design Plan
# Implementing Your Windows Defender Firewall with Advanced Security Design Plan
**Applies to**
- Windows 10
- Windows Server 2016
The following are important factors in the implementation of your Windows Firewall with Advanced Security design plan:
The following are important factors in the implementation of your Windows Defender Firewall design plan:
- **Group Policy**. The Windows Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
- **Group Policy**. The Windows Defender Firewall with Advanced Security designs make extensive use of Group Policy deployed by Active Directory Domain Services (AD DS). A sound Group Policy infrastructure is required to successfully deploy the firewall and IPsec settings and rules to the devices on your network.
- **Perimeter firewall**. Most organizations use a perimeter firewall to help protect the devices on the network from potentially malicious network traffic from outside of the organization's network boundaries. If you plan a deployment that includes a boundary zone to enable external devices to connect to devices in that zone, then you must allow that traffic through the perimeter firewall to the devices in the boundary zone.
@ -27,14 +27,14 @@ The following are important factors in the implementation of your Windows Firewa
- Include the device in the authentication exemption list included in your design. You can choose this option if for any reason the device cannot participate in the isolated domain design.
## How to implement your Windows Firewall with Advanced Security design using this guide
## How to implement your Windows Defender Firewall with Advanced Security design using this guide
The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
![wfas implementation](images/wfas-implement.gif)
Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Firewall with Advanced Security design.
Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
- [Checklist: Implementing a Basic Firewall Policy Design](checklist-implementing-a-basic-firewall-policy-design.md)
@ -44,4 +44,4 @@ Use the following parent checklists in this section of the guide to become famil
- [Checklist: Implementing a Certificate-based Isolation Policy Design](checklist-implementing-a-certificate-based-isolation-policy-design.md)
The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).
The procedures in these checklists use the Group Policy MMC snap-in interfaces to configure firewall and connection security rules in GPOs, but you can also use Windows PowerShell. For more information, see [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md). This guide recommends using GPOs in a specific way to deploy the rules and settings for your design. For information about deploying your GPOs, see [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md) and the checklist [Checklist: Creating Group Policy Objects](checklist-creating-group-policy-objects.md).

14
windows/access-protection/windows-firewall/isolating-apps-on-your-network.md
View File

@ -14,7 +14,7 @@ author: brianlic-msft
- Windows 10
- Windows Server 2016
When you add new devices to your network, you may want to customize your Windows Firewall configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
When you add new devices to your network, you may want to customize your Windows Defender Firewall with Advanced Security configuration to isolate the network access of the new Windows Store apps that run on them. Developers who build Windows Store apps can declare certain app capabilities that enable different classes of network access. A developer can decide what kind of network access the app requires and configure this capability for the app. When the app is installed on a device, appropriate firewall rules are automatically created to enable access. You can then customize the firewall configuration to further fine-tune this access if they desire more control over the network access for the app.
For example, a developer can decide that their app should only connect to trusted local networks (such as at home or work), and not to the Internet. In this way, developers can define the scope of network access for their app. This network isolation prevents an app from accessing a network and a connection type (inbound or outbound) if the connection has not been configured for the app. Then the network administrator can customize the firewall to further restrict the resources that the app can access.
@ -54,7 +54,7 @@ To isolate Windows Store apps on your network, you need to use Group Policy to d
- Your Windows Store app is installed on the client device.
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Firewall rules.
- The Remote Server Administration Tools (RSAT) are installed on your client device. When you perform the following steps from your client device, you can select your Windows Store app when you create Windows Defender Firewall rules.
>**Note:**  You can install the RSAT on your device running Windows 10 from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
@ -134,9 +134,9 @@ The following table provides a complete list of the possible app capabilities.
| **Webcam** | webcam| Provides access to the webcam's video feed.|
| **Other devices (represented by GUIDs)** | &lt;GUID&gt;| Includes specialized devices and Windows Portable Devices.|
You can create a Windows Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
You can create a Windows Defender Firewall policy that is scoped to a set of apps that use a specified capability or scoped to a specific Windows Store app.
For example, you could create a Windows Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
For example, you could create a Windows Defender Firewall policy to block Internet access for any apps on your network that have the Documents Library capability.
**To block Internet access for any apps on your network that have the Documents Library capability**
@ -148,7 +148,7 @@ For example, you could create a Windows Firewall policy to block Internet access
4. Right-click the new GPO, and then click **Edit**.
5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and click **Windows Firewall with Advanced Security LDAP://…**
5. In the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall with Advanced Security**, and click **Windows Defender Firewall LDAP://…**
6. Right-click **Outbound Rules**, and then click **New Rule**.
@ -206,7 +206,7 @@ Use the following procedure if you want to block intranet access for a specific
4. Right-click your new GPO, and then click **Edit**.
5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Firewall with Advanced Security**, and then click **Windows Firewall with Advanced Security LDAP://**…
5. From the Group Policy Management Editor, expand **Computer Configuration**, expand **Policies**, expand **Windows Settings**, expand **Security Settings**, expand **Windows Defender Firewall**, and then click **Windows Defender Firewall LDAP://**…
6. Right-click **Outbound Rules**, and then click **New Rule**.
@ -246,4 +246,4 @@ Use the following procedure if you want to block intranet access for a specific
## See also
- [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)
- [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md)

10
windows/access-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall.md
View File

@ -1,6 +1,6 @@
---
title: Open the Group Policy Management Console to Windows Firewall (Windows 10)
description: Open the Group Policy Management Console to Windows Firewall
title: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security (Windows 10)
description: Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
ms.assetid: 5090b2c8-e038-4905-b238-19ecf8227760
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,13 +9,13 @@ ms.pagetype: security
author: brianlic-msft
---
# Open the Group Policy Management Console to Windows Firewall
# Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
To open a GPO to Windows Firewall
To open a GPO to Windows Defender Firewall:
1. Open the Active Directory Users and Computers console.
@ -23,4 +23,4 @@ To open a GPO to Windows Firewall
3. Click the **Group Policy** tab, select your GPO, and then click **Edit**.
4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Firewall**.
4. In the navigation pane of the Group Policy Object Editor, navigate to **Computer Configuration** > **Administrative Templates** > **Network** > **Network Connections** > **Windows Defender Firewall**.

18
windows/access-protection/windows-firewall/open-windows-firewall-with-advanced-security.md
View File

@ -1,6 +1,6 @@
---
title: Open Windows Firewall with Advanced Security (Windows 10)
description: Open Windows Firewall with Advanced Security
title: Open Windows Defender Firewall with Advanced Security (Windows 10)
description: Open Windows Defender Firewall with Advanced Security
ms.assetid: 788faff2-0f50-4e43-91f2-3e2595c0b6a1
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,29 +9,29 @@ ms.pagetype: security
author: brianlic-msft
---
# Open Windows Firewall with Advanced Security
# Open Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
This procedure shows you how to open the Windows Firewall with Advanced Security console.
This procedure shows you how to open the Windows Defender Firewall with Advanced Security console.
**Administrative credentials**
To complete this procedure, you must be a member of the Administrators group. For more information, see Additional considerations.
## Opening Windows Firewall with Advanced Security
## Opening Windows Defender Firewall
- [Using the Windows interface](#to-open-windows-firewall-with-advanced-security-using-the-ui)
- [Using a command line](#to-open-windows-firewall-with-advanced-security-from-a-command-prompt)
## To open Windows Firewall with Advanced Security using the UI
## To open Windows Defender Firewall using the UI
Click Start, type **Windows Firewall with Advanced Security**, and the press ENTER.
Click Start, type **Windows Defender Firewall**, and the press ENTER.
## To open Windows Firewall with Advanced Security from a command prompt
## To open Windows Defender Firewall from a command prompt
1. Open a command prompt window.
@ -43,4 +43,4 @@ Click Start, type **Windows Firewall with Advanced Security**, and the press ENT
**Additional considerations**
Although standard users can start the Windows Firewall with Advanced Security MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.
Although standard users can start the Windows Defender Firewall MMC snap-in, to change most settings the user must be a member of a group with the permissions to modify those settings, such as Administrators.

6
windows/access-protection/windows-firewall/planning-gpo-deployment.md
View File

@ -41,11 +41,11 @@ After you have deployed your GPOs and added some test devices to the groups, con
- Examine the GPOs that are both assigned to and filtered from the device. Run the **gpresult** tool at a command prompt.
- Examine the rules deployed to the device. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
- Examine the rules deployed to the device. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, and then expand the **Firewall** and **Connection Security** nodes.
- Verify that communications are authenticated. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
- Verify that communications are authenticated. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then click **Main Mode**.
- Verify that communications are encrypted when the devices require it. Open the Windows Firewall with Advanced Security MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
- Verify that communications are encrypted when the devices require it. Open the Windows Defender Firewall MMC snap-in, expand the **Monitoring** node, expand the **Security Associations** node, and then select **Quick Mode**. Encrypted connections display a value other than **None** in the **ESP Confidentiality** column.
- Verify that your programs are unaffected. Run them and confirm that they still work as expected.

2
windows/access-protection/windows-firewall/planning-settings-for-a-basic-firewall-policy.md
View File

@ -37,7 +37,7 @@ The following is a list of the firewall settings that you might consider for inc
- **Apply local connection security rules: No**. We recommend that you prevent users from creating and using their own connection security rules. Connection failures caused by conflicting rules can be difficult to troubleshoot.
- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Firewall service account has write permissions.
- **Logging**. We recommend that you enable logging to a file on the local hard disk. Be sure to limit the size, such as 4096 KB, to avoid causing performance problems by filling the user's hard disk. Be sure to specify a folder to which the Windows Defender Firewall with Advanced Security service account has write permissions.
- **Inbound rules**. Create inbound rules for programs that must be able to receive unsolicited inbound network packets from another device on the network. Make the rules as specific as possible to reduce the risk of malicious programs exploiting the rules. For example, specify both program and port numbers. Specifying a program ensures that the rule is only active when the program is actually running, and specifying the port number ensures that the program cannot receive unexpected traffic on a different port.

8
windows/access-protection/windows-firewall/planning-the-gpos.md
View File

@ -31,15 +31,17 @@ A few things to consider as you plan the GPOs:
>**Caution:**  It is **critical** that you begin with all your GPOs set to request authentication instead of requiring it. Since the GPOs are delivered to the devices over time, applying a require policy to one device breaks its ability to communicate with another device that has not yet received its policy. Using request mode at the beginning enables devices to continue communicating by using plaintext connections if required. After you confirm that your devices are using IPsec where expected, you can schedule a conversion of the rules in the GPOs from requesting to requiring authentication, as required by each zone.
- Windows Firewall with Advanced Security in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
- Windows Defender Firewall* in Windows Vista and Windows Server 2008 only support one network location profile at a time. If you add a second network adapter that is connected to a different network, or not connected at all, you could unintentionally change the profile that is currently active on the device. If your GPO specifies different firewall and connection security rules based on the current network location profile, the behavior of how the device handles network traffic will change accordingly. We recommend for stationary devices, such as desktops and servers, that you assign any rule for the device to all profiles. Apply GPOs that change rules per network location to devices that must move between networks, such as your portable devices. Consider creating a separate domain isolation GPO for your servers that uses the same settings as the GPO for the clients, except that the server GPO specifies the same rules for all network location profiles.
>**Note:**  Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Firewall then enforces only those rules that apply to that network types profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
*Windows Defender Firewall is now called Windows Defender Firewall with Advanced Security in Windows 10.
> [!NOTE]
> Devices running Windows 7, Windows Server 2008 R2, and later support different network location types, and therefore profiles, for each network adapter at the same time. Each network adapter is assigned the network location appropriate for the network to which it is connected. Windows Defender Firewall then enforces only those rules that apply to that network types profile. So certain types of traffic are blocked when coming from a network adapter connected to a public network, but those same types might be permitted when coming from a private or domain network.
After considering these issues, document each GPO that you require, and the details about the connection security and firewall rules that it needs.
## Woodgrove Bank example GPOs
The Woodgrove Bank example uses the following set of GPOs to support its domain isolation requirements. This section only discusses the rules and settings for server and domain isolation. GPO settings that affect which devices receive the GPO, such as security group filtering and WMI filtering, are discussed in the [Planning GPO Deployment](planning-gpo-deployment.md) section.
In this section you can find information about the following:

16
windows/access-protection/windows-firewall/planning-to-deploy-windows-firewall-with-advanced-security.md
View File

@ -1,6 +1,6 @@
---
title: Planning to Deploy Windows Firewall with Advanced Security (Windows 10)
description: Planning to Deploy Windows Firewall with Advanced Security
title: Planning to Deploy Windows Defender Firewall with Advanced Security (Windows 10)
description: Planning to Deploy Windows Defender Firewall with Advanced Security
ms.assetid: 891a30c9-dbf5-4a88-a279-00662b9da48e
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,19 +9,19 @@ ms.pagetype: security
author: brianlic-msft
---
# Planning to Deploy Windows Firewall with Advanced Security
# Planning to Deploy Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
After you collect information about your environment and decide on a design by following the guidance in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Firewall with Advanced Security in your organization.
After you collect information about your environment and decide on a design by following the guidance in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md), you can begin to plan the deployment of your design. With the completed design and the information in this topic, you can determine which tasks to perform to deploy Windows Defender Firewall with Advanced Security in your organization.
## Reviewing your Windows Firewall with Advanced Security Design
## Reviewing your Windows Defender Firewall with Advanced Security Design
If the design team that created the Windows Firewall with Advanced Security design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
If the design team that created the Windows Defender Firewall design for your organization is different from the deployment team that will implement it, make sure that the deployment team reviews the final design with the design team. Review the following points:
- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Firewall with Advanced Security Design Guide:
- The design team's strategy for determining how WMI and security group filters attached to the GPOs will determine which devices apply to which GPO. The deployment team can refer to the following topics in the Windows Defender Firewall with Advanced Security Design Guide:
- [Planning Isolation Groups for the Zones](planning-isolation-groups-for-the-zones.md)
@ -45,4 +45,4 @@ If the design team that created the Windows Firewall with Advanced Security desi
If at least one set of each does not match between two devices, then the devices cannot successfully communicate.
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Firewall with Advanced Security design. For more information, see [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).
After the design and deployment teams agree on these issues, they can proceed with the deployment of the Windows Defender Firewall design. For more information, see [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md).

7
windows/access-protection/windows-firewall/planning-your-windows-firewall-with-advanced-security-design.md
View File

@ -1,6 +1,6 @@
---
title: Planning Your Windows Firewall with Advanced Security Design (Windows 10)
description: Planning Your Windows Firewall with Advanced Security Design
title: Planning Your Windows Defender Firewall with Advanced Security Design (Windows 10)
description: Planning Your Windows Defender Firewall with Advanced Security Design
ms.assetid: f3ac3d49-ef4c-4f3c-a16c-e107284e169f
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,7 +9,7 @@ ms.pagetype: security
author: brianlic-msft
---
# Planning Your Windows Firewall with Advanced Security Design
# Planning Your Windows Defender Firewall with Advanced Security Design
**Applies to**
- Windows 10
@ -76,7 +76,6 @@ When you are ready to examine the options for using certificate-based authentica
## Documenting your design
After you finish selecting the designs that you will use, you must assign each of your devices to the appropriate isolation zone and document the assignment for use by the deployment team.
- [Documenting the Zones](documenting-the-zones.md)

12
windows/access-protection/windows-firewall/procedures-used-in-this-guide.md
View File

@ -35,11 +35,11 @@ The procedures in this section appear in the checklists found earlier in this do
- [Configure the Rules to Require Encryption](configure-the-rules-to-require-encryption.md)
- [Configure the Windows Firewall Log](configure-the-windows-firewall-log.md)
- [Configure the Windows Defender Firewall with Advanced Security Log](configure-the-windows-firewall-log.md)
- [Configure the Workstation Authentication Certificate Template](configure-the-workstation-authentication-certificate-template.md)
- [Configure Windows Firewall to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
- [Configure Windows Defender Firewall with Advanced Security to Suppress Notifications When a Program Is Blocked](configure-windows-firewall-to-suppress-notifications-when-a-program-is-blocked.md)
- [Confirm That Certificates Are Deployed Correctly](confirm-that-certificates-are-deployed-correctly.md)
@ -79,14 +79,12 @@ The procedures in this section appear in the checklists found earlier in this do
- [Open the Group Policy Management Console to IP Security Policies](open-the-group-policy-management-console-to-ip-security-policies.md)
- [Open the Group Policy Management Console to Windows Firewall](open-the-group-policy-management-console-to-windows-firewall.md)
- [Open the Group Policy Management Console to Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall.md)
- [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
- [Open Windows Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
- [Open Windows Defender Firewall with Advanced Security](open-windows-firewall-with-advanced-security.md)
- [Restrict Server Access to Members of a Group Only](restrict-server-access-to-members-of-a-group-only.md)
- [Turn on Windows Firewall and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
- [Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior](turn-on-windows-firewall-and-configure-default-behavior.md)
- [Verify That Network Traffic Is Authenticated](verify-that-network-traffic-is-authenticated.md)

2
windows/access-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
View File

@ -17,7 +17,7 @@ author: brianlic-msft
The use of authentication in the previously described goal ([Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) enables a device in the isolated domain to block traffic from untrusted devices. However, it does not prevent an untrusted device from eavesdropping on the network traffic shared between two trusted devices, because by default network packets are not encrypted.
For devices that share sensitive information over the network, Windows Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
For devices that share sensitive information over the network, Windows Defender Firewall with Advanced Security allows you to require that all such network traffic be encrypted. Using encryption can help you comply with regulatory and legislative requirements such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations. By creating connection security rules that apply to devices that host and exchange sensitive data, you can help protect the confidentiality of that data by encrypting it.
The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.

4
windows/access-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
View File

@ -17,7 +17,7 @@ author: brianlic-msft
Domain isolation (as described in the previous goal [Restrict Access to Only Trusted Devices](restrict-access-to-only-trusted-devices.md)) prevents devices that are members of the isolated domain from accepting network traffic from untrusted devices. However, some devices on the network might host sensitive data that must be additionally restricted to only those users and computers that have a business requirement to access the data.
Windows Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
Windows Defender Firewall with Advanced Security enables you to restrict access to devices and users that are members of domain groups authorized to access that device. These groups are called *network access groups (NAGs)*. When a device authenticates to a server, the server checks the group membership of the computer account and the user account, and grants access only if membership in the NAG is confirmed. Adding this check creates a virtual "secure zone" within the domain isolation zone. You can have multiple devices in a single secure zone, and it is likely that you will create a separate zone for each set of servers that have specific security access needs. Devices that are part of this server isolation zone are often also part of the encryption zone (see [Require Encryption When Accessing Sensitive Network Resources](require-encryption-when-accessing-sensitive-network-resources.md)).
Restricting access to only users and devices that have a business requirement can help you comply with regulatory and legislative requirements, such as those found in the Federal Information Security Management Act of 2002 (FISMA), the Sarbanes-Oxley Act of 2002, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and other government and industry regulations.
@ -41,4 +41,4 @@ The following components are required for this deployment goal:
- **Active Directory**: Active Directory supports centralized management of connection security rules by configuring the rules in one or more GPOs that can be automatically applied to all relevant devices in the domain.
**Next: **[Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
**Next: **[Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)

4
windows/access-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
View File

@ -17,7 +17,7 @@ author: brianlic-msft
Your organizational network likely has a connection to the Internet. You also likely have partners, vendors, or contractors who attach devices that are not owned by your organization to your network. Because you do not manage those devices, you cannot trust them to be free of malicious software, maintained with the latest security updates, or in any way in compliance with your organization's security policies. These untrustworthy devices both on and outside of your physical network must not be permitted to access your organization's devices except where it is truly required.
To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
To mitigate this risk, you must be able to isolate the devices you trust, and restrict their ability to receive unsolicited network traffic from untrusted devices. By using connection security and firewall rules available in Windows Defender Firewall with Advanced Security, you can logically isolate the devices that you trust by requiring that all unsolicited inbound network traffic be authenticated. Authentication ensures that each device or user can positively identify itself by using credentials that are trusted by the other device. Connection security rules can be configured to use IPsec with the Kerberos V5 protocol available in Active Directory, or certificates issued by a trusted certification authority as the authentication method.
>**Note:**  Because the primary authentication method recommended for devices that are running Windows is to use the Kerberos V5 protocol with membership in an Active Directory domain, this guide refers to this logical separation of computers as *domain isolation*, even when certificates are used to extend the protection to devices that are not part of an Active Directory domain.
@ -35,7 +35,7 @@ These goals, which correspond to [Domain Isolation Policy Design](domain-isolati
- Devices in the isolated domain can still send outbound network traffic to untrusted devices and receive the responses to the outbound requests.
For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Firewall with Advanced Security settings for outbound network traffic allow this. No additional rules are required.
For example, Woodgrove Bank wants its users at client devices to be able to access Web sites on the Internet. The default Windows Defender Firewall settings for outbound network traffic allow this. No additional rules are required.
These goals also support optional zones that can be created to add customized protection to meet the needs of subsets of an organization's devices:

2
windows/access-protection/windows-firewall/restrict-server-access-to-members-of-a-group-only.md
View File

@ -27,7 +27,7 @@ To complete these procedures, you must be a member of the Domain Administrators
## To create a firewall rule that grants access to an isolated server
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md). You must edit the GPO that applies settings to servers in the isolated server zone.
2. In the navigation pane, right-click **Inbound Rules**, and then click **New Rule**.

8
windows/access-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
View File

@ -133,11 +133,11 @@ Make sure that you install the required certificates on the participating comput
Follow these procedures to verify and troubleshoot your IKEv2 IPsec connections:
**Use the Windows Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
**Use the Windows Defender Firewall with Advanced Security snap-in to verify that a connection security rule is enabled.**
1. Open the Windows Firewall with Advanced Security console.
1. Open the Windows Defender Firewall with Advanced Security console.
2. In the left pane of the Windows Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
2. In the left pane of the Windows Defender Firewall with Advanced Security snap-in, click **Connection Security Rules**, and then verify that there is an enabled connection security rule.
3. Expand **Monitoring**, and then click **Connection Security Rules** to verify that your IKEv2 rule is active for your currently active profile.
@ -177,7 +177,7 @@ You might not find the exact answer for the issue, but you can find good hints.
## See also
- [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
- [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md)
 

2
windows/access-protection/windows-firewall/server-isolation-policy-design.md
View File

@ -45,7 +45,7 @@ For more info about this design:
- To learn more about this design, see [Server Isolation Policy Design Example](server-isolation-policy-design-example.md).
- Before completing the design, gather the information described in [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- Before completing the design, gather the information described in [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md).
- To help you make the decisions required in this design, see [Planning Server Isolation Zones](planning-server-isolation-zones.md) and [Planning Group Policy Deployment for Your Isolation Zones](planning-group-policy-deployment-for-your-isolation-zones.md).

14
windows/access-protection/windows-firewall/turn-on-windows-firewall-and-configure-default-behavior.md
View File

@ -1,6 +1,6 @@
---
title: Turn on Windows Firewall and Configure Default Behavior (Windows 10)
description: Turn on Windows Firewall and Configure Default Behavior
title: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior (Windows 10)
description: Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
ms.assetid: 3c3fe832-ea81-4227-98d7-857a3129db74
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,23 +9,23 @@ ms.pagetype: security
author: brianlic-msft
---
# Turn on Windows Firewall and Configure Default Behavior
# Turn on Windows Defender Firewall with Advanced Security and Configure Default Behavior
**Applies to**
- Windows 10
- Windows Server 2016
To enable Windows Firewall and configure its default behavior, use the Windows Firewall with Advanced Security node in the Group Policy Management console.
To enable Windows Defender Firewall with Advanced Security and configure its default behavior, use the Windows Defender Firewall with Advanced Security node in the Group Policy Management console.
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## To enable Windows Firewall and configure the default behavior
## To enable Windows Defender Firewall and configure the default behavior
1. [Open the Group Policy Management Console to Windows Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
1. Open the Group Policy Management Console to [Windows Defender Firewall with Advanced Security](open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md).
2. In the details pane, in the **Overview** section, click **Windows Firewall Properties**.
2. In the details pane, in the **Overview** section, click **Windows Defender Firewall Properties**.
3. For each network location type (Domain, Private, Public), perform the following steps.

20
windows/access-protection/windows-firewall/understanding-the-windows-firewall-with-advanced-security-design-process.md
View File

@ -1,6 +1,6 @@
---
title: Understanding the Windows Firewall with Advanced Security Design Process (Windows 10)
description: Understanding the Windows Firewall with Advanced Security Design Process
title: Understanding the Windows Defender Firewall with Advanced Security Design Process (Windows 10)
description: Understanding the Windows Defender Firewall with Advanced Security Design Process
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,20 +8,20 @@ ms.pagetype: security
author: brianlic-msft
---
# Understanding the Windows Firewall with Advanced Security Design Process
# Understanding the Windows Defender Firewall with Advanced Security Design Process
Designing any deployment starts by performing several important tasks:
- [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
- [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
- [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
- [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md)
- [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
- [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md)
After you identify your deployment goals and map them to a Windows Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
After you identify your deployment goals and map them to a Windows Defender Firewall with Advanced Security design, you can begin documenting the design based on the processes that are described in the following topics:
- [Designing A Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Designing A Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md)
- [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
- [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md)
**Next:** [Identifying Your Windows Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)
**Next:** [Identifying Your Windows Defender Firewall with Advanced Security Design Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md)

7
windows/access-protection/windows-firewall/verify-that-network-traffic-is-authenticated.md
View File

@ -27,15 +27,14 @@ In these procedures, you confirm that the rules you deployed are working correct
>**Note:**  In addition to the steps shown in this procedure, you can also use network traffic capture tools such as Microsoft Network Monitor, which can be downloaded from <https://go.microsoft.com/fwlink/?linkid=94770>. Network Monitor and similar tools allow you to capture, parse, and display the network packets received by the network adapter on your device. Current versions of these tools include full support for IPsec. They can identify encrypted network packets, but they cannot decrypt them.
 
**Administrative credentials**
To complete these procedures, you must be a member of the Domain Administrators group, or otherwise be delegated permissions to modify the GPOs.
## To verify that network connections are authenticated by using the Windows Firewall with Advanced Security console
## To verify that network connections are authenticated by using the Windows Defender Firewall with Advanced Security console
1. Open the Windows Firewall with Advanced Security console.
1. Open the Windows Defender Firewall with Advanced Security
console.
2. In the navigation pane, expand **Monitoring**, and then click **Connection Security Rules**.

62
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
View File

@ -1,6 +1,6 @@
---
title: Windows Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
description: Windows Firewall with Advanced Security Administration with Windows PowerShell
title: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell (Windows 10)
description: Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,29 +8,29 @@ ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security Administration with Windows PowerShell
# Windows Defender Firewall with Advanced Security Administration with Windows PowerShell
**Applies to**
- Windows 10
- Windows Server 2016
The Windows Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Firewall with Advanced Security management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Firewall with Advanced Security management in Windows.
The Windows Defender Firewall with Advanced Security Administration with Windows PowerShell Guide provides essential scriptlets for automating Windows Defender Firewall management. It is designed for IT pros, system administrators, IT managers, and others who use and need to automate Windows Defender Firewall management in Windows.
You can use Windows PowerShell to manage your firewall and IPsec deployments. This object-oriented scripting environment will make it easier for you to manage policies and monitor network conditions than was possible in netsh. Windows PowerShell allows network settings to be self-discoverable through the syntax and parameters in each of the cmdlets. This guide demonstrates how common tasks were performed in netsh and how you can use Windows PowerShell to accomplish them.
In future versions of Windows, Microsoft might remove the netsh functionality for Windows Firewall with Advanced Security. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Firewall with Advanced Security.
In future versions of Windows, Microsoft might remove the netsh functionality for Windows Defender Firewall. Microsoft recommends that you transition to Windows PowerShell if you currently use netsh to configure and manage Windows Defender Firewall.
Windows PowerShell and netsh command references are at the following locations.
- [Netsh Commands for Windows Firewall with Advanced Security](http://technet.microsoft.com/library/cc771920)
- [Netsh Commands for Windows Defender Firewall](http://technet.microsoft.com/library/cc771920)
## Scope
This guide does not teach you the fundamentals of Windows Firewall with Advanced Security, which can be found in [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
This guide does not teach you the fundamentals of Windows Defender Firewall, which can be found in [Windows Defender Firewall](windows-firewall-with-advanced-security.md). It does not teach the fundamentals of Windows PowerShell, and it assumes that you are familiar with the Windows PowerShell language and the basic concepts of Windows PowerShell. For more info about Windows PowerShell concepts and usage, see the reference topics in the [Additional resources](#additional-resources) section of this guide.
## Audience and user requirements
This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Firewall with Advanced Security, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
This guide is intended for IT pros, system administrators, and IT managers, and it assumes that you are familiar with Windows Defender Firewall, the Windows PowerShell language, and the basic concepts of Windows PowerShell.
## In this topic
@ -45,11 +45,11 @@ This guide is intended for IT pros, system administrators, and IT managers, and
## <a href="" id="bkmk-profileglobaldefaults"></a>Set profile global defaults
Global defaults set the device behavior in a per-profile basis. Windows Firewall with Advanced Security supports Domain, Private, and Public profiles.
Global defaults set the device behavior in a per-profile basis. Windows Defender Firewall supports Domain, Private, and Public profiles.
### Enable Windows Firewall
### Enable Windows Defender Firewall with Advanced Security
Windows Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Firewall. Here is how to do this on a local domain device:
Windows Defender Firewall drops traffic that does not correspond to allowed unsolicited traffic, or traffic that is sent in response to a request by the device. If you find that the rules you create are not being enforced, you may need to enable Windows Defender Firewall. Here is how to do this on a local domain device:
**Netsh**
@ -63,9 +63,9 @@ netsh advfirewall set allprofiles state on
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
```
### Control Windows Firewall behavior
### Control Windows Defender Firewall with Advanced Security behavior
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Firewall with Advanced Security console.
The global default settings can be defined through the command-line interface. These modifications are also available through the Windows Defender Firewall with Advanced Security console.
The following scriptlets set the default inbound and outbound actions, specifies protected network connections, and allows notifications to be displayed to the user when a program is blocked from receiving inbound connections. It allows unicast response to multicast or broadcast network traffic, and it specifies logging settings for troubleshooting.
@ -84,31 +84,31 @@ Windows PowerShell
Set-NetFirewallProfile -DefaultInboundAction Block -DefaultOutboundAction Allow NotifyOnListen True -AllowUnicastResponseToMulticast True LogFileName %SystemRoot%\System32\LogFiles\Firewall\pfirewall.log
```
### Disable Windows Firewall
### Disable Windows Defender Firewall with Advanced Security
Microsoft recommends that you do not disable Windows Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Microsoft recommends that you do not disable Windows Defender Firewall because you lose other benefits provided by the service, such as the ability to use Internet Protocol security (IPsec) connection security rules, network protection from attacks that employ network fingerprinting, [Windows Service Hardening](http://go.microsoft.com/fwlink/?linkid=104976), and [boot time filters](https://blogs.technet.microsoft.com/networking/2009/03/24/stopping-the-windows-authenticating-firewall-service-and-the-boot-time-policy/).
Disabling Windows Firewall with Advanced Security can also cause problems, including:
Disabling Windows Defender Firewall with Advanced Security can also cause problems, including:
- Start menu can stop working
- Modern applications can fail to install or update
- Activation of Windows via phone fails
- Application or OS incompatibilities that depend on Windows Firewall
- Application or OS incompatibilities that depend on Windows Defender Firewall
Microsoft recommends disabling Windows Firewall with Advanced Security only when installing a third-party firewall, and resetting Windows Firewall back to defaults when the third-party software is disabled or removed.
Microsoft recommends disabling Windows Defender Firewall only when installing a third-party firewall, and resetting Windows Defender Firewall back to defaults when the third-party software is disabled or removed.
If disabling Windows Firewall with Advanced Security is required, do not disable it by stopping the Windows Firewall service (in the **Services** snap-in, the display name is Windows Firewall and the service name is MpsSvc).
Stopping the Windows Firewall service is not supported by Microsoft.
If disabling Windows Defender Firewall is required, do not disable it by stopping the Windows Defender Firewall service (in the **Services** snap-in, the display name is Windows Defender Firewall and the service name is MpsSvc).
Stopping the Windows Defender Firewall service is not supported by Microsoft.
Non-Microsoft firewall software can programmatically disable only the parts of Windows Firewall with Advanced Security that need to be disabled for compatibility.
Non-Microsoft firewall software can programmatically disable only the parts of Windows Defender Firewall that need to be disabled for compatibility.
You should not disable the firewall yourself for this purpose.
The proper method to disable the Windows Firewall is to disable the Windows Firewall Profiles and leave the service running.
The proper method to disable the Windows Defender Firewall is to disable the Windows Defender Firewall Profiles and leave the service running.
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Firewall|Domain Prolfile|Windows Firewall:Protect all network connections**.
For more information, see [Windows firewall with advanced security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
Use the following procedure to turn the firewall off, or disable the Group Policy setting **Computer Configuration|Administrative Templates|Network|Network Connections|Windows Defender Firewall|Domain Prolfile|Windows Defender Firewall:Protect all network connections**.
For more information, see [Windows Defender Firewall with Advanced Security deployment guide](windows-firewall-with-advanced-security-deployment-guide.md).
The following example disables Windows Firewall with Advanced Security for all profiles.
The following example disables Windows Defender Firewall for all profiles.
```powershell
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False
@ -237,13 +237,13 @@ The following scriptlet enables all rules in a predefined group containing remot
**Netsh**
``` syntax
netsh advfirewall firewall set rule group="windows firewall remote management" new enable=yes
netsh advfirewall firewall set rule group="Windows Defender Firewall remote management" new enable=yes
```
Windows PowerShell
``` syntax
Set-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” Enabled True
Set-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” Enabled True
```
There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by group or by other properties of the rule.
@ -251,7 +251,7 @@ There is also a separate `Enable-NetFirewallRule` cmdlet for enabling rules by g
Windows PowerShell
``` syntax
Enable-NetFirewallRule -DisplayGroup “Windows Firewall Remote Management” -Verbose
Enable-NetFirewallRule -DisplayGroup “Windows Defender Firewall Remote Management” -Verbose
```
### Delete a firewall rule
@ -315,7 +315,7 @@ Remove-NetFirewallRule DisplayName “AllowWeb80” CimSession $RemoteSess
An Internet Protocol security (IPsec) policy consists of rules that determine IPsec behavior. IPsec supports network-level peer authentication, data origin authentication, data integrity, data confidentiality (encryption), and replay protection.
Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
Windows PowerShell can create powerful, complex IPsec policies like in Netsh and the Windows Defender Firewall with Advanced Security console. However, because Windows PowerShell is object-based rather than string token-based, configuration in Windows PowerShell offers greater control and flexibility.
In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
@ -524,7 +524,7 @@ New-NetIPSecRule -DisplayName “Tunnel from HQ to Dallas Branch” -Mode Tunnel
## Deploy secure firewall rules with IPsec
In situations where only secure traffic can be allowed through the Windows Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
In situations where only secure traffic can be allowed through the Windows Defender Firewall, a combination of manually configured firewall and IPsec rules are necessary. The firewall rules determine the level of security for allowed packets, and the underlying IPsec rules secure the traffic. The scenarios can be accomplished in Windows PowerShell and in Netsh, with many similarities in deployment.
### Create a secure firewall rule (allow if secure)
@ -579,7 +579,7 @@ The following firewall rule allows Telnet traffic from user accounts that are me
A Security Descriptor Definition Language (SDDL) string is created by extending a user or groups security identifier (SID). For more information about finding a groups SID, see: [Finding the SID for a group account](http://technet.microsoft.com/library/cc753463(WS.10).aspx#bkmk_FINDSID).
Restricting access to a group allows administrations to extend strong authentication support through Windows Firewall/and or IPsec policies.
Restricting access to a group allows administrations to extend strong authentication support through Windows Defender Firewall and/or IPsec policies.
The following example shows you how to create an SDDL string that represents security groups.

30
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-deployment-guide.md
View File

@ -1,6 +1,6 @@
---
title: Windows Firewall with Advanced Security Deployment Guide (Windows 10)
description: Windows Firewall with Advanced Security Deployment Guide
title: Windows Defender Firewall with Advanced Security Deployment Guide (Windows 10)
description: Windows Defender Firewall with Advanced Security Deployment Guide
ms.assetid: 56b51b97-1c38-481e-bbda-540f1216ad56
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,25 +9,25 @@ ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security Deployment Guide
# Windows Defender Firewall with Advanced Security Deployment Guide
**Applies to**
- Windows 10
- Windows Server 2016
You can use the Windows Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
You can use the Windows Defender Firewall with Advanced Security MMC snap-in with devices running at least Windows Vista or Windows Server 2008 to help protect the devices and the data that they share across a network.
You can use Windows Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
You can use Windows Defender Firewall to control access to the device from the network. You can create rules that allow or block network traffic in either direction based on your business requirements. You can also create IPsec connection security rules to help protect your data as it travels across the network from device to device.
## About this guide
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
This guide is intended for use by system administrators and system engineers. It provides detailed guidance for deploying a Windows Defender Firewall with Advanced Security design that you or an infrastructure specialist or system architect in your organization has selected.
Begin by reviewing the information in [Planning to Deploy Windows Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
Begin by reviewing the information in [Planning to Deploy Windows Defender Firewall with Advanced Security](planning-to-deploy-windows-firewall-with-advanced-security.md).
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
If you have not yet selected a design, we recommend that you wait to follow the instructions in this guide until after you have reviewed the design options in the [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) and selected the one most appropriate for your organization.
After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
After you select your design and gather the required information about the zones (isolation, boundary, and encryption), operating systems to support, and other details, you can then use this guide to deploy your Windows Defender Firewall with Advanced Security design in your production environment. This guide provides steps for deploying any of the following primary designs that are described in the Design Guide:
- [Basic Firewall Policy Design](basic-firewall-policy-design.md)
@ -37,7 +37,7 @@ After you select your design and gather the required information about the zones
- [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md)
Use the checklists in [Implementing Your Windows Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
Use the checklists in [Implementing Your Windows Defender Firewall with Advanced Security Design Plan](implementing-your-windows-firewall-with-advanced-security-design-plan.md) to determine how best to use the instructions in this guide to deploy your particular design.
>**Caution:**  We recommend that you use the techniques documented in this guide only for GPOs that must be deployed to the majority of the devices in your organization, and only when the OU hierarchy in your Active Directory domain does not match the deployment needs of these GPOs. These characteristics are typical of GPOs for server and domain isolation scenarios, but are not typical of most other GPOs. When the OU hierarchy supports it, deploy a GPO by linking it to the lowest level OU that contains all of the accounts to which the GPO applies.
@ -47,16 +47,16 @@ In a large enterprise environment with hundreds or thousands of GPOs, using this
This guide does not provide:
- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Firewall with Advanced Security Design Guide.
- Guidance for creating firewall rules for specific network applications. For this information, see [Planning Settings for a Basic Firewall Policy](planning-settings-for-a-basic-firewall-policy.md) in the Windows Defender Firewall with Advanced Security Design Guide.
- Guidance for setting up Active Directory Domain Services (AD DS) to support Group Policy.
- Guidance for setting up certification authorities (CAs) to create certificates for certificate-based authentication.
## Overview of Windows Firewall with Advanced Security
## Overview of Windows Defender Firewall with Advanced Security
Windows Firewall with Advanced Security in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Firewall with Advanced Security also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
Windows Defender Firewall in Windows 8, Windows 7, Windows Vista, Windows Server 2012, Windows Server 2008, and Windows Server 2008 R2 is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot be authenticated as a trusted device cannot communicate with your device. You can also use IPsec to require that certain network traffic is encrypted to prevent it from being read by network packet analyzers that could be attached to the network by a malicious user.
The Windows Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
The Windows Defender Firewall with Advanced Security MMC snap-in is more flexible and provides much more functionality than the consumer-friendly Windows Defender Firewall interface found in the Control Panel. Both interfaces interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel program can protect a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
For more information about Windows Firewall with Advanced Security, see [Windows Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).
For more information about Windows Defender Firewall with Advanced Security, see [Windows Defender Firewall with Advanced Security Overview](windows-firewall-with-advanced-security.md).

49
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security-design-guide.md
View File

@ -1,6 +1,7 @@
---
title: Windows Firewall with Advanced Security Design Guide (Windows 10)
description: Windows Firewall with Advanced Security Design Guide
title: Windows Defender Firewall with Advanced Security Design Guide (Windows 10)
description: Windows Defender Firewall with Advanced Security
Design Guide
ms.assetid: 5c631389-f232-4b95-9e48-ec02b8677d51
ms.prod: w10
ms.mktglfcycl: deploy
@ -9,29 +10,30 @@ ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security Design Guide
# Windows Defender Firewall with Advanced Security
Design Guide
**Applies to**
- Windows 10
- Windows Server 2016
Windows Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Firewall with Advanced Security supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
Windows Defender Firewall with Advanced Security is a host firewall that helps secure the device in two ways. First, it can filter the network traffic permitted to enter the device from the network, and also control what network traffic the device is allowed to send to the network. Second, Windows Defender Firewall supports IPsec, which enables you to require authentication from any device that is attempting to communicate with your device. When authentication is required, devices that cannot authenticate cannot communicate with your device. By using IPsec, you can also require that specific network traffic be encrypted to prevent it from being read or intercepted while in transit between devices.
The interface for Windows Firewall with Advanced Security is much more capable and flexible than the consumer-friendly interface found in the Windows Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
The interface for Windows Defender Firewall is much more capable and flexible than the consumer-friendly interface found in the Windows Defender Firewall Control Panel. They both interact with the same underlying services, but provide different levels of control over those services. While the Windows Defender Firewall Control Panel meets the needs for protecting a single device in a home environment, it does not provide enough centralized management or security features to help secure more complex network traffic found in a typical business enterprise environment.
For more overview information about Windows Firewall with Advanced Security and see [Windows Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
For more overview information, see [Windows Defender Firewall with Advanced Security](windows-firewall-with-advanced-security.md).
## About this guide
This guide provides recommendations to help you to choose or create a design for deploying Windows Firewall with Advanced Security in your enterprise environment. The guide describes some of the common goals for using Windows Firewall with Advanced Security, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
This guide provides recommendations to help you to choose or create a design for deploying Windows Defender Firewall in your enterprise environment. The guide describes some of the common goals for using Windows Defender Firewall, and then helps you map the goals that apply to your scenario to the designs that are presented in this guide.
This guide is intended for the IT professional who has been assigned the task of deploying firewall and IPsec technologies on an organization's network to help meet the organization's security goals.
Windows Firewall with Advanced Security should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
Windows Defender Firewall should be part of a comprehensive security solution that implements a variety of security technologies, such as perimeter firewalls, intrusion detection systems, virtual private networking (VPN), IEEE 802.1X authentication for wireless and wired connections, and IPsec connection security rules.
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Firewall with Advanced Security, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
To successfully use this guide, you need a good understanding of both the capabilities provided by Windows Defender Firewall, and how to deliver configuration settings to your managed devices by using Group Policy in Active Directory.
You can use the deployment goals to form one of these Windows Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
You can use the deployment goals to form one of these Windows Defender Firewall with Advanced Security designs, or a custom design that combines elements from those presented here:
- **Basic firewall policy design**. Restricts network traffic in and out of your devices to only that which is needed and authorized.
@ -45,9 +47,10 @@ You can use the deployment goals to form one of these Windows Firewall with Adva
- **Certificate-based isolation policy design**. This design is a complement to either of the previous two designs, and supports any of their capabilities. It uses cryptographic certificates that are deployed to clients and servers for authentication, instead of the Kerberos V5 authentication used by default in Active Directory. This enables devices that are not part of an Active Directory domain, such as devices running operating systems other than Windows, to participate in your isolation solution.
In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Firewall with Advanced Security using the guidance in the Windows Firewall with Advanced Security Deployment Guide.
In addition to descriptions and example for each design, you will find guidelines for gathering required data about your environment. You can then use these guidelines to plan and design your Windows Defender Firewall with Advanced Security deployment. After you read this guide, and finish gathering, documenting, and mapping your organization's requirements, you have the information that you need to begin deploying Windows Defender Firewall using the guidance in the Windows Defender Firewall with Advanced Security Deployment Guide.
You can find the Windows Firewall with Advanced Security Deployment Guide at these locations:
You can find the Windows Defender Firewal with Advanced Security
Deployment Guide at these locations:
- (Web page)
@ -57,12 +60,12 @@ You can find the Windows Firewall with Advanced Security Deployment Guide at the
| Topic | Description
| - | - |
| [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Firewall with Advanced Security design process. |
| [Identifying Your Windows Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Firewall with Advanced Security deployment goals. |
| [Mapping Your Deployment Goals to a Windows Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Firewall with Advanced Security design. |
| [Evaluating Windows Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Firewall with Advanced Security to improve the security of the computers connected to the network. |
| [Designing a Windows Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| [Planning Your Windows Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md) | Learn how to get started with the Windows Defender Firewall with Advanced Security design process. |
| [Identifying Your Windows Defender Firewall with Advanced Security Deployment Goals](identifying-your-windows-firewall-with-advanced-security-deployment-goals.md) | Learn how to identify your Windows Defender Firewall with Advanced Security deployment goals. |
| [Mapping Your Deployment Goals to a Windows Defender Firewall with Advanced Security Design](mapping-your-deployment-goals-to-a-windows-firewall-with-advanced-security-design.md) | After you finish reviewing the existing Windows Defender Firewall with Advanced Security deployment goals and you determine which goals are important to your specific deployment, you can map those goals to a specific Windows Defender Firewall with Advanced Security design. |
| [Evaluating Windows Defender Firewall with Advanced Security Design Examples](evaluating-windows-firewall-with-advanced-security-design-examples.md) | Learn how to use Windows Defender Firewall to improve the security of the computers connected to the network. |
| [Designing a Windows Defender Firewall with Advanced Security Strategy](designing-a-windows-firewall-with-advanced-security-strategy.md) | To select the most effective design for helping to protect the network, you must spend time collecting key information about your current computer environment. |
| [Planning Your Windows Defender Firewall with Advanced Security Design](planning-your-windows-firewall-with-advanced-security-design.md) | After you have gathered the relevant information in the previous sections, and understand the basics of the designs as described earlier in this guide, you can select the design (or combination of designs) that meet your needs. |
| [Appendix A: Sample GPO Template Files for Settings Used in this Guide](appendix-a-sample-gpo-template-files-for-settings-used-in-this-guide.md) | You can import an XML file containing customized registry preferences into a Group Policy Object (GPO) by using the Preferences feature of the Group Policy Management Console (GPMC). |
## Terminology used in this guide
@ -74,20 +77,20 @@ The following table identifies and defines terms used throughout this guide.
| Active Directory domain | A group of devices and users managed by an administrator by using Active Directory Domain Services (AD DS). Devices in a domain share a common directory database and security policies. Multiple domains can co-exist in a &quot;forest,&quot; with trust relationships that establish the forest as the security boundary. |
| Authentication | A process that enables the sender of a message to prove its identity to the receiver. For connection security in Windows, authentication is implemented by the IPsec protocol suite.|
| Boundary zone | A subset of the devices in an isolated domain that must be able to receive unsolicited and non-authenticated network traffic from devices that are not members of the isolated domain. Devices in the boundary zone request but do not require authentication. They use IPsec to communicate with other devices in the isolated domain.|
| Connection security rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.|
| Connection security rule | A rule in Windows Defender Firewall that contains a set of conditions and an action to be applied to network packets that match the conditions. The action can allow the packet, block the packet, or require the packet to be protected by IPsec. In previous versions of Windows, this was called an *IPsec rule*.|
| Certificate-based isolation | A way to add devices that cannot use Kerberos V5 authentication to an isolated domain, by using an alternate authentication technique. Every device in the isolated domain and the devices that cannot use Kerberos V5 are provided with a device certificate that can be used to authenticate with each other. Certificate-based isolation requires a way to create and distribute an appropriate certificate (if you choose not to purchase one from a commercial certificate provider).|
| Domain isolation | A technique for helping protect the devices in an organization by requiring that the devices authenticate each other's identity before exchanging information, and refusing connection requests from devices that cannot authenticate. Domain isolation takes advantage of Active Directory domain membership and the Kerberos V5 authentication protocol available to all members of the domain. Also see &quot;Isolated domain&quot; in this table.|
| Encryption zone | A subset of the devices in an isolated domain that process sensitive data. Devices that are part of the encryption zone have all network traffic encrypted to prevent viewing by non-authorized users. Devices that are part of the encryption zone also typically are subject to the access control restrictions of server isolation.|
| Firewall rule | A rule in Windows Firewall with Advanced Security that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Firewall rule | A rule in Windows Defender Firewall that contains a set of conditions used to determine whether a network packet is allowed to pass through the firewall.<br/>By default, the firewall rules in Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, Windows 8, Windows 7, and Windows Vista block unsolicited inbound network traffic. Likewise, by default, all outbound network traffic is allowed. The firewall included in previous versions of Windows only filtered inbound network traffic. |
| Internet Protocol security (IPsec) | A set of industry-standard, cryptography-based protection services and protocols. IPsec protects all protocols in the TCP/IP protocol suite except Address Resolution Protocol (ARP).|
| IPsec policy | A collection of connection security rules that provide the required protection to network traffic entering and leaving the device. The protection includes authentication of both the sending and receiving device, integrity protection of the network traffic exchanged between them, and can include encryption.|
| Isolated domain | An Active Directory domain (or an Active Directory forest, or set of domains with two-way trust relationships) that has Group Policy settings applied to help protect its member devices by using IPsec connection security rules. Members of the isolated domain require authentication on all unsolicited inbound connections (with exceptions handled by the other zones).<br/>In this guide, the term *isolated domain* refers to the IPsec concept of a group of devices that can share authentication. The term *Active Directory domain* refers to the group of devices that share a security database by using Active Directory.|
| Server isolation | A technique for using group membership to restrict access to a server that is typically already a member of an isolated domain. The additional protection comes from using the authentication credentials of the requesting device to determine its group membership, and then only allowing access if the computer account (and optionally the user account) is a member of an authorized group.|
| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Firewall with Advanced Security allows all solicited network traffic through.|
| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Firewall with Advanced Security blocks all unsolicited network traffic. |
| Solicited network traffic | Network traffic that is sent in response to a request. By default, Windows Defender Firewall allows all solicited network traffic through.|
| Unsolicited network traffic | Network traffic that is not a response to an earlier request, and that the receiving device cannot necessarily anticipate. By default, Windows Defender Firewall blocks all unsolicited network traffic. |
| Zone | A zone is a logical grouping of devices that share common IPsec policies because of their communications requirements. For example, the boundary zone permits inbound connections from non-trusted devices. The encryption zone requires that all connections be encrypted.<br/>This is not related to the term zone as used by Domain Name System (DNS). |
**Next:** [Understanding the Windows Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
**Next:** [Understanding the Windows Defender Firewall with Advanced Security Design Process](understanding-the-windows-firewall-with-advanced-security-design-process.md)
 

27
windows/access-protection/windows-firewall/windows-firewall-with-advanced-security.md
View File

@ -1,6 +1,6 @@
---
title: Windows Firewall with Advanced Security (Windows 10)
description: Windows Firewall with Advanced Security
title: Windows Defender Firewall with Advanced Security (Windows 10)
description: Windows Defender Firewall with Advanced Security
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@ -8,35 +8,36 @@ ms.pagetype: security
author: brianlic-msft
---
# Windows Firewall with Advanced Security
# Windows Defender Firewall with Advanced Security
**Applies to**
- Windows 10
- Windows Server 2016
This is an overview of the Windows Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
This is an overview of the Windows Defender Firewall with Advanced Security (WFAS) and Internet Protocol security (IPsec) features.
## Feature description
Windows Firewall with Advanced Security is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Firewall with Advanced Security blocks unauthorized network traffic flowing into or out of the local device. Windows Firewall with Advanced Security also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Firewall with Advanced Security, so Windows Firewall is also an important part of your networks isolation strategy.
Windows Defender Firewall with Advanced Security
is an important part of a layered security model. By providing host-based, two-way network traffic filtering for a device, Windows Defender Firewall blocks unauthorized network traffic flowing into or out of the local device. Windows Defender Firewall also works with Network Awareness so that it can apply security settings appropriate to the types of networks to which the device is connected. Windows Defender Firewall and Internet Protocol Security (IPsec) configuration settings are integrated into a single Microsoft Management Console (MMC) named Windows Defender Firewall, so Windows Defender Firewall is also an important part of your networks isolation strategy.
## Practical applications
To help address your organizational network security challenges, Windows Firewall with Advanced Security offers the following benefits:
To help address your organizational network security challenges, Windows Defender Firewall offers the following benefits:
- **Reduces the risk of network security threats.**  Windows Firewall with Advanced Security reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
- **Reduces the risk of network security threats.**  Windows Defender Firewall reduces the attack surface of a device, providing an additional layer to the defense-in-depth model. Reducing the attack surface of a device increases manageability and decreases the likelihood of a successful attack.
- **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Firewall with Advanced Security provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
- **Safeguards sensitive data and intellectual property.**  With its integration with IPsec, Windows Defender Firewall provides a simple way to enforce authenticated, end-to-end network communications. It provides scalable, tiered access to trusted network resources, helping to enforce integrity of the data, and optionally helping to protect the confidentiality of the data.
- **Extends the value of existing investments.**  Because Windows Firewall with Advanced Security is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Firewall with Advanced Security is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
- **Extends the value of existing investments.**  Because Windows Defender Firewall is a host-based firewall that is included with the operating system, there is no additional hardware or software required. Windows Defender Firewall is also designed to complement existing non-Microsoft network security solutions through a documented application programming interface (API).
## In this section
| Topic | Description
| - | - |
| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
| [Isolating Windows Store Apps on Your Network](isolating-apps-on-your-network.md) | You can customize your Windows Defender Firewall configuration to isolate the network access of Windows Store apps that run on devices. |
| [Securing End-to-End IPsec Connections by Using IKEv2 in Windows Server 2012](securing-end-to-end-ipsec-connections-by-using-ikev2.md) | You can use IKEv2 to help secure your end-to-end IPSec connections. |
| [Windows Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Firewall. |
| [Windows Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Firewall with Advanced Security. |
| [Windows Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Firewall with Advanced Security. |
| [Windows Defender Firewall with Advanced Security Administration with Windows PowerShell](windows-firewall-with-advanced-security-administration-with-windows-powershell.md) | Learn more about using Windows PowerShell to manage the Windows Defender Firewall. |
| [Windows Defender Firewall with Advanced Security Design Guide](windows-firewall-with-advanced-security-design-guide.md) | Learn how to create a design for deploying Windows Defender Firewall with Advanced Security. |
| [Windows Defender Firewall with Advanced Security Deployment Guide](windows-firewall-with-advanced-security-deployment-guide.md) | Learn how to deploy Windows Defender Firewall with Advanced Security. |

12
windows/client-management/mdm/devdetail-csp.md
View File

@ -150,32 +150,32 @@ The following diagram shows the DevDetail configuration service provider managem
> [!NOTE]
> This is not supported in Windows 10 for desktop editions.
<a href="" id="volteservicesetting"></a>**VoLTEServiceSetting**
<a href="" id="volteservicesetting"></a>**Ext/VoLTEServiceSetting**
<p style="margin-left: 20px">Returns the VoLTE service to on or off. This is only exposed to mobile operator OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv4address"></a>**WlanIPv4Address**
<a href="" id="wlanipv4address"></a>**Ext/WlanIPv4Address**
<p style="margin-left: 20px">Returns the IPv4 address of the active Wi-Fi connection. This is only exposed to enterprise OMA DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlanipv6address"></a>**WlanIPv6Address**
<a href="" id="wlanipv6address"></a>**Ext/WlanIPv6Address**
<p style="margin-left: 20px">Returns the IPv6 address of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlandnssuffix"></a>**WlanDnsSuffix**
<a href="" id="wlandnssuffix"></a>**Ext/WlanDnsSuffix**
<p style="margin-left: 20px">Returns the DNS suffix of the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="wlansubnetmask"></a>**WlanSubnetMask**
<a href="" id="wlansubnetmask"></a>**Ext/WlanSubnetMask**
<p style="margin-left: 20px">Returns the subnet mask for the active Wi-Fi connection. This is only exposed to enterprise OMA-DM servers.
<p style="margin-left: 20px">Supported operation is Get.
<a href="" id="devicehardwaredata"></a>**DeviceHardwareData**
<a href="" id="devicehardwaredata"></a>**Ext/DeviceHardwareData**
<p style="margin-left: 20px">Added in Windows 10 version 1703. Returns a base64-encoded string of the hardware parameters of a device.
> [!Note]

2
windows/client-management/mdm/device-update-management.md
View File

@ -54,7 +54,7 @@ This section describes how this is done. The following diagram shows the server-
MSDN provides much information about the Server-Server sync protocol. In particular:
- It is a SOAP-based protocol, and you can get the WSDL in [Server Sync Web Service](http://go.microsoft.com/fwlink/p/?LinkId=526727). The WSDL can be used to generate calling proxies for many programming environments, which will simplify your development.
- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https:<span></span>//fe2.update.microsoft.com/v6/ServerSyncWebService/serversyncwebservice.asmx.
- You can find code samples in [Protocol Examples](http://go.microsoft.com/fwlink/p/?LinkId=526720). The sample code shows raw SOAP commands, which can be used. Although its even simpler to make the call from a programming language like .NET (calling the WSDL-generated proxies). The stub generated by the Server Sync WSDL from the MSDN link above generates an incorrect binding URL. The binding URL should be set to https://sws.update.microsoft.com/ServerSyncWebService/serversyncwebservice.asmx.
Some important highlights:

161
windows/client-management/mdm/firewall-csp.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/18/2017
---
# Firewall CSP
@ -33,35 +33,45 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="global"></a>**MdmStore/Global**
<p style="margin-left: 20px">Interior node.</p>
<p style="margin-left: 20px">Supported operations are Get and Replace. </p>
<p style="margin-left: 20px">Supported operations are Get. </p>
<a href="" id="policyversionsupported"></a>**MdmStore/Global/PolicyVersionSupported**
<p style="margin-left: 20px">DWORD value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p style="margin-left: 20px">Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="currentprofiles"></a>**MdmStore/Global/CurrentProfiles**
<p style="margin-left: 20px">DWORD value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
<p style="margin-left: 20px">Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</p>
<p style="margin-left: 20px">Value type in integer. Supported operation is Get.</p>
<a href="" id="disablestatefulftp"></a>**MdmStore/Global/DisableStatefulFtp**
<p style="margin-left: 20px">This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace. </p>
<p style="margin-left: 20px">Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Data type is bool. Supported operations are Add, Get, Replace, and Delete. </p>
<a href="" id="saidletime"></a>**MdmStore/Global/SaIdleTime**
<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.<</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 300.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/TPresharedKeyEncodingBD**
<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="presharedkeyencoding"></a>**MdmStore/Global/PresharedKeyEncoding**
<p style="margin-left: 20px">Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the [PRESHARED_KEY_ENCODING_VALUES enumeration](https://msdn.microsoft.com/en-us/library/cc231525.aspx). The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 1.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="ipsecexempt"></a>**MdmStore/Global/IPsecExempt**
<p style="margin-left: 20px">This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in [IPSEC_EXEMPT_VALUES](https://msdn.microsoft.com/en-us/library/cc231523.aspx); therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="crlcheck"></a>**MdmStore/Global/CRLcheck**
<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:</p>
<ul>
<li>0 disables CRL checking</li>
<li>1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail.</li>
<li>2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing</li>
</ul>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="policyversion"></a>**MdmStore/Global/PolicyVersion**
<p style="margin-left: 20px">This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.</p>
@ -72,12 +82,20 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="opportunisticallymatchauthsetperkm"></a>**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="enablepacketqueue"></a>**MdmStore/Global/EnablePacketQueue**
<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:</p>
<ul>
<li>0x00 indicates that all queuing is to be disabled</li>
<li>0x01 specifies that inbound encrypted packets are to be queued</li>
<li>0x02 specifies that packets are to be queued after decryption is performed for forwarding</li>
</ul>
<p style="margin-left: 20px">Default value is 0.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="domainprofile"></a>**MdmStore/DomainProfile**
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
@ -89,58 +107,79 @@ The following diagram shows the Firewall configuration service provider in tree
<p style="margin-left: 20px">Interior node. Supported operation is Get.</p>
<a href="" id="enablefirewall"></a>**/EnableFirewall**
<p style="margin-left: 20px">This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="disablestealthmode"></a>**/DisableStealthMode**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="shielded"></a>**/Shielded**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Get and Replace.</p>
<a href="" id="disableunicastresponsestomulticastbroadcast"></a>**/DisableUnicastResponsesToMulticastBroadcast**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="disableinboundnotifications"></a>**/DisableInboundNotifications**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is false.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="authappsallowuserprefmerge"></a>**/AuthAppsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="globalportsallowuserprefmerge"></a>**/GlobalPortsAllowUserPrefMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="allowlocalpolicymerge"></a>**/AllowLocalPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="allowlocalipsecpolicymerge"></a>**/AllowLocalIpsecPolicyMerge**
<p style="margin-left: 20px">This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="defaultoutboundaction"></a>**/DefaultOutboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p style="margin-left: 20px">Default value is 0 (allow).</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
<a href="" id="defaultinboundaction"></a>**/DefaultInboundAction**
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</p>
<ul>
<li>0x00000000 - allow</li>
<li>0x00000001 - block</li>
</ul>
<p style="margin-left: 20px">Default value is 1 (block).</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get and Replace.</p>
<a href="" id="disablestealthmodeipsecsecuredpacketexemption"></a>**/DisableStealthModeIpsecSecuredPacketExemption**
<p style="margin-left: 20px">This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<p style="margin-left: 20px">Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</p>
<p style="margin-left: 20px">Default value is true.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get and Replace.</p>
<a href="" id="firewallrules"></a>**FirewallRules**
<p style="margin-left: 20px">A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.</p>
<a href="" id="firewallrulename"></a>**FirewallRules/_FirewallRuleName_**
<p style="margin-left: 20px">Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</p>
<p style="margin-left: 20px">Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="app"></a>**FirewallRules/_FirewallRuleName_/App**
<p style="margin-left: 20px">Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:</p>
@ -150,6 +189,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>FQBN</li>
<li>ServiceName</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Supported operation is Get.</p>
<a href="" id="packagefamilyname"></a>**FirewallRules/_FirewallRuleName_/App/PackageFamilyName**
@ -170,14 +210,17 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="protocol"></a>**FirewallRules/_FirewallRuleName_/Protocol**
<p style="margin-left: 20px">0-255 number representing the ip protocol (TCP = 6, UDP = 17)</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localportranges"></a>**FirewallRules/_FirewallRuleName_/LocalPortRanges**
<p style="margin-left: 20px">Comma separated list of ranges. For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteportranges"></a>**FirewallRules/_FirewallRuleName_/RemotePortRanges**
<p style="margin-left: 20px">Comma separated list of ranges, For example, 100-120,200,300-320.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localaddressranges"></a>**FirewallRules/_FirewallRuleName_/LocalAddressRanges**
@ -189,6 +232,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="remoteaddressranges"></a>**FirewallRules/_FirewallRuleName_/RemoteAddressRanges**
@ -209,6 +253,7 @@ The following diagram shows the Firewall configuration service provider in tree
<li>An IPv4 address range in the format of "start address - end address" with no spaces included.</li>
<li>An IPv6 address range in the format of "start address - end address" with no spaces included.</li>
</ul>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="description"></a>**FirewallRules/_FirewallRuleName_/Description**
@ -217,13 +262,13 @@ The following diagram shows the Firewall configuration service provider in tree
<a href="" id="enabled"></a>**FirewallRules/_FirewallRuleName_/Enabled**
<p style="margin-left: 20px">Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true.
If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Get and Replace.</p>
<a href="" id="profiles"></a>**FirewallRules_FirewallRuleName_/Profiles**
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Specifies the profiles to which the rule belongs: Domain, Private, Public. . See [FW_PROFILE_TYPE](https://msdn.microsoft.com/en-us/library/cc231559.aspx) for the bitmasks that are used to identify profile types.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="action"></a>**FirewallRules/_FirewallRuleName_/Action**
<p style="margin-left: 20px">Specifies the action for the rule.</p>
@ -235,7 +280,8 @@ If not specified - a new rule is disabled by default.</p>
<li>0 - Block</li>
<li>1 - Allow</li>
</ul>
<p style="margin-left: 20px">Value type is integer. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified, the default is allow.</p>
<p style="margin-left: 20px">Value type is integer. Supported operations are Get and Replace.</p>
<a href="" id="direction"></a>**FirewallRules/_FirewallRuleName_/Direction**
<p style="margin-left: 20px">Comma separated list. The rule is enabled based on the traffic direction as following. Supported values:</p>
@ -244,27 +290,24 @@ If not specified - a new rule is disabled by default.</p>
<li>OUT - the rule applies to outbound traffic.</li>
<li>If not specified, the default is IN.</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
<a href="" id="interfacetypes"></a>**FirewallRules/FirewallRuleName/InterfaceTypes**
<p style="margin-left: 20px">Comma separated list of interface types. Valid values:</p>
<ul>
<li>RemoteAccess</li>
<li>Wireless</li>
<li>Lan</li>
<li>MobileBroadband</li>
<li>All</li>
</ul>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="icmptypesandcodes"></a>**FirewallRules/_FirewallRuleName_/IcmpTypesAndCodes**
<p style="margin-left: 20px">List of ICMP types and codes separated by semicolon. "\*" indicates all ICMP types and codes.<</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">If not specified, the default is All.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Get and Replace.</p>
<a href="" id="edgetraversal"></a>**FirewallRules/_FirewallRuleName_/EdgeTraversal**
<p style="margin-left: 20px">Indicates whether edge traversal is enabled or disabled for this rule.</p>
<p style="margin-left: 20px">The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.</p>
<p style="margin-left: 20px">New rules have the EdgeTraversal property disabled by default.</p>
<p style="margin-left: 20px">Boolean value. Supported operations are Add, Get, Replace, and Delete.</p>
<p style="margin-left: 20px">Value type is bool. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="localuserauthorizedlist"></a>**FirewallRules/_FirewallRuleName_/LocalUserAuthorizedList**
<p style="margin-left: 20px">Specifies the list of authorized local users for the app container. This is a string in Security Descriptor Definition Language (SDDL) format.</p>
@ -274,10 +317,6 @@ If not specified - a new rule is disabled by default.</p>
<p style="margin-left: 20px">Provides information about the specific verrsion of the rule in deployment for monitoring purposes.</p>
<p style="margin-left: 20px">Value type is string. Supported operation is Get.</p>
<a href="" id="friendlyname"></a>**FirewallRules/_FirewallRuleName_/FriendlyName**
<p style="margin-left: 20px">Specifies the friendly name of the rule. The string must not contain the "|" character.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>
<a href="" id="name"></a>**FirewallRules/_FirewallRuleName_/Name**
<p style="margin-left: 20px">Name of the rule.</p>
<p style="margin-left: 20px">Value type is string. Supported operations are Add, Get, Replace, and Delete.</p>

325
windows/client-management/mdm/firewall-ddf-file.md
View File

@ -6,7 +6,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/18/2017
---
# Firewall CSP
@ -30,6 +30,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>Root node for the Firewall configuration service provider.</Description>
<DFFormat>
<node />
</DFFormat>
@ -67,7 +68,6 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<DFProperties>
<AccessType>
<Get />
<Replace />
</AccessType>
<DFFormat>
<node />
@ -88,7 +88,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>This value is a DWORD containing the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
<Description>Value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.</Description>
<DFFormat>
<int />
</DFFormat>
@ -109,7 +109,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
</AccessType>
<Description>This value is a DWORD and contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
<Description>Value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.</Description>
<DFFormat>
<int />
</DFFormat>
@ -130,8 +130,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. The value is a DWORD; 0x00000000 means off; 0x00000001 means on. The merge law for this option is to let "on" values win.</Description>
<DefaultValue>FALSE</DefaultValue>
<Description>This value is an on/off switch. If off, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. FALSE means off; TRUE means on, so the stateful FTP is disabled. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -152,8 +155,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is a DWORD and MUST be a value in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>300</DefaultValue>
<Description>This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -174,8 +180,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This configuration value specifies the preshared key encoding that is used. The value is a DWORD and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>1</DefaultValue>
<Description>Specifies the preshared key encoding that is used. MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. Default is 1 [UTF-8]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -196,8 +205,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This configuration value configures IPsec exceptions. The value is a DWORD and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value configures IPsec exceptions and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -218,8 +230,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value is a DWORD and MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<Description>This value specifies how certificate revocation list (CRL) verification is enforced. The value MUST be 0, 1, or 2. A value of 0 disables CRL checking. A value of 1 specifies that CRL checking is attempted and that certificate validation fails only if the certificate is revoked. Other failures that are encountered during CRL checking (such as the revocation URL being unreachable) do not cause certificate validation to fail. A value of 2 means that checking is required and that certificate validation fails if any error is encountered during CRL processing. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.</Description>
<DFFormat>
<int />
</DFFormat>
@ -282,8 +296,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is on, keying modules MUST ignore only the authentication suites that they do not support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<Description>This value is used as an on/off switch. When this option is false, keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true, keying modules MUST ignore only the authentication suites that they dont support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<bool />
</DFFormat>
@ -304,8 +320,11 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
<Delete />
</AccessType>
<Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a DWORD and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is a integer and is a combination of flags. A value of 0x00 indicates that all queuing is to be disabled. A value of 0x01 specifies that inbound encrypted packets are to be queued. A value of 0x02 specifies that packets are to be queued after decryption is performed for forwarding.</Description>
<DFFormat>
<int />
</DFFormat>
@ -346,10 +365,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -368,10 +389,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -391,9 +414,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -412,10 +436,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -434,10 +460,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -456,10 +484,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -478,10 +508,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -500,10 +532,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -522,10 +556,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -544,8 +580,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -566,8 +604,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -588,10 +628,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -630,10 +672,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -652,10 +696,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -675,9 +721,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -696,10 +743,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -718,10 +767,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -740,10 +791,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -762,10 +815,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -784,10 +839,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -806,10 +863,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -828,8 +887,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -850,8 +911,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -872,10 +935,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -914,10 +979,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. It is a DWORD type value; 0x00000000 is off; 0x00000001 is on. If this value is off, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -936,10 +1003,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. When this option is off, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -959,9 +1028,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Get />
<Replace />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If this value is on and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "on" values win.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -980,10 +1050,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If it is on, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is used as an on/off switch. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1002,10 +1074,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. </Description>
<DefaultValue>0</DefaultValue>
<Description>This value is an on/off switch. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1024,10 +1098,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1046,10 +1122,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1068,10 +1146,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. If this value is off, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is used as an on/off switch. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1090,10 +1170,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD; it is an on/off switch. If this value is off, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1112,8 +1194,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>0</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 0 [Allow]. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1134,8 +1218,10 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The allow action is represented by 0x00000000; 0x00000001 represents a block action. Default value is 1 [Block]. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1156,10 +1242,12 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<AccessType>
<Get />
<Replace />
<Add />
</AccessType>
<Description>This value is a DWORD used as an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is on, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DefaultValue>1</DefaultValue>
<Description>This value is an on/off switch. This option is ignored if DisableStealthMode is on. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.</Description>
<DFFormat>
<int />
<bool />
</DFFormat>
<Occurrence>
<One />
@ -1200,6 +1288,7 @@ This topic shows the OMA DM device description framework (DDF) for the **Firewal
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).</Description>
<DFFormat>
@ -1349,7 +1438,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17)</Description>
<Description>0-255 number representing the ip protocol (TCP = 6, UDP = 17). If not specified the default is All.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1373,7 +1462,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
<Description>Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1397,7 +1486,7 @@ ServiceName</Description>
<Get />
<Replace />
</AccessType>
<Description> Comma Separated list of ranges for eg. 100-120,200,300-320</Description>
<Description> Comma Separated list of ranges for eg. 100-120,200,300-320. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1428,7 +1517,7 @@ Valid tokens include:
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1466,7 +1555,7 @@ An IPv6 address range in the format of "start address - end address" with no spa
A subnet can be specified using either the subnet mask or network prefix notation. If neither a subnet mask not a network prefix is specified, the subnet mask defaults to 255.255.255.255.
A valid IPv6 address.
An IPv4 address range in the format of "start address - end address" with no spaces included.
An IPv6 address range in the format of "start address - end address" with no spaces included.</Description>
An IPv6 address range in the format of "start address - end address" with no spaces included. If not specified the default is All.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -1509,8 +1598,6 @@ An IPv6 address range in the format of "start address - end address" with no spa
<NodeName>Enabled</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
@ -1534,12 +1621,10 @@ If not specified - a new rule is disabled by default.</Description>
<NodeName>Profiles</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.</Description>
<Description>Specifies the profiles to which the rule belongs: Domain, Private, Public. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. If not specified, the default is All.</Description>
<DFFormat>
<int />
</DFFormat>
@ -1560,13 +1645,7 @@ If not specified - a new rule is disabled by default.</Description>
<AccessType>
<Get />
</AccessType>
<Description>Specifies the action for the rule.
BLOCK - block the connection.
ALLOW - allow the connection.
If not specified the default action is BLOCK.</Description>
<Description>Specifies the action for the rule.</Description>
<DFFormat>
<node />
</DFFormat>
@ -1584,11 +1663,10 @@ If not specified the default action is BLOCK.</Description>
<NodeName>Type</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>1</DefaultValue>
<Description>Specifies the action the rule enforces:
0 - Block
1 - Allow</Description>
@ -1611,11 +1689,10 @@ If not specified the default action is BLOCK.</Description>
<NodeName>Direction</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>IN</DefaultValue>
<Description>Comma separated list. The rule is enabled based on the traffic direction as following.
IN - the rule applies to inbound traffic.
@ -1640,11 +1717,10 @@ If not specified the detault is IN.</Description>
<NodeName>InterfaceTypes</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<DefaultValue>All</DefaultValue>
<Description>String value. Multiple interface types can be included in the string by separating each value with a ",". Acceptable values are "RemoteAccess", "Wireless", "Lan", "MobileBroadband", and "All".
If more than one interface type is specified, the strings must be separated by a comma.</Description>
<DFFormat>
@ -1661,30 +1737,6 @@ If not specified the detault is IN.</Description>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>IcmpTypesAndCodes</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>The icmpTypesAndCodes parameter is a list of ICMP types and codes separated by semicolon. "*" indicates all ICMP types and codes.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<ZeroOrOne />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>EdgeTraversal</NodeName>
<DFProperties>
@ -1760,31 +1812,6 @@ This is a string in Security Descriptor Definition Language (SDDL) format..</Des
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>FriendlyName</NodeName>
<DFProperties>
<AccessType>
<Add />
<Delete />
<Get />
<Replace />
</AccessType>
<Description>Specifies the friendly name of the rule.
The string must not contain the "|" character.</Description>
<DFFormat>
<chr />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Dynamic />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
<Node>
<NodeName>Name</NodeName>
<DFProperties>

BIN
windows/client-management/mdm/images/provisioning-csp-firewall.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 95 KiB

After

Width:  |  Height:  |  Size: 93 KiB

BIN
windows/client-management/mdm/images/provisioning-csp-office.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 6.1 KiB

After

Width:  |  Height:  |  Size: 9.4 KiB

76
windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
View File

@ -10,7 +10,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/14/2017
ms.date: 08/25/2017
---
# What's new in MDM enrollment and management
@ -52,7 +52,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -184,7 +184,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -495,7 +495,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -678,12 +678,11 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartDeadlinePeriodInDays</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
<li>Update/DetectionFrequency</li>
<li>Update/EngagedRestartDeadline</li>
<li>Update/EngagedRestartSnoozeSchedule</li>
<li>Update/EngagedRestartTransistionSchedule</li>
<li>Update/EngagedRestartTransitionSchedule</li>
<li>Update/IgnoreMOAppDownloadLimit</li>
<li>Update/IgnoreMOUpdateDownloadLimit</li>
<li>Update/PauseFeatureUpdatesStartTime</li>
@ -917,7 +916,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
## <a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -975,9 +974,18 @@ For details about Microsoft mobile device management protocols for Windows 10 s
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
<ul>
<li>Installation/CurrentStatus</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/LockdownFavorites</li>
<li>Browser/ProvisionFavorites</li>
<li>CredentialProviders/DisableAutomaticReDeploymentCredentials</li>
<li>DeviceGuard/EnableVirtualizationBasedSecurity</li>
<li>DeviceGuard/RequirePlatformSecurityFeatures</li>
@ -1013,14 +1021,16 @@ For details about Microsoft mobile device management protocols for Windows 10 s
<li>Power/HibernateTimeoutPluggedIn</li>
<li>Power/StandbyTimeoutOnBattery</li>
<li>Power/StandbyTimeoutPluggedIn</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
<li>Defender/AttackSurfaceReductionOnlyExclusions</li>
<li>Defender/AttackSurfaceReductionRules</li>
<li>Defender/CloudBlockLevel </li>
<li>Defender/CloudExtendedTimeout</li>
<li>Defender/EnableGuardMyFolders</li>
<li>Defender/ControlledFolderAccessAllowedApplications</li>
<li>Defender/ControlledFolderAccessProtectedFolders</li>
<li>Defender/EnableControlledFolderAccess</li>
<li>Defender/EnableNetworkProtection</li>
<li>Defender/GuardedFoldersAllowedApplications</li>
<li>Defender/GuardedFoldersList</li>
<li>Education/DefaultPrinterName</li>
<li>Education/PreventAddingNewPrinters</li>
<li>Education/PrinterNames</li>
@ -1316,7 +1326,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
### August 2017
<table>
<table class="mx-tdBreakAll">
<colgroup>
<col width="25%" />
<col width="75%" />
@ -1366,13 +1376,41 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Office CSP](office-csp.md)</td>
<td style="vertical-align:top"><p>Added the following setting in Windows 10, version 1709:</p>
<ul>
<li>Installation/CurrentStatus</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[BitLocker CSP](bitlocker-csp.md)</td>
<td style="vertical-align:top">Added information to the ADMX-backed policies.
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Firewall CSP](firewall-csp.md)</td>
<td style="vertical-align:top">Updated the CSP and DDF topics. Here are the changes:
<ul>
<li>Removed the two settings - FirewallRules/FirewallRuleName/FriendlyName and FirewallRules/FirewallRuleName/IcmpTypesAndCodes.</li>
<li>Changed some data types from integer to bool.</li>
<li>Updated the list of supported operations for some settings.</li>
<li>Added default values.</li>
</ul>
</td></tr>
<tr class="odd">
<td style="vertical-align:top">[Policy DDF file](policy-ddf-file.md)</td>
<td style="vertical-align:top">Added another Policy DDF file [download](http://download.microsoft.com/download/6/1/C/61C022FD-6F5D-4F73-9047-17F630899DC4/PolicyDDF_all_version1607_8C.xml) for the 8C release of Windows 10, version 1607, which added the following policies:
<ul>
<li>Browser/AllowMicrosoftCompatibilityList</li>
<li>Update/DisableDualScan</li>
<li>Update/FillEmptyContentUrls</li>
</ul>
</td></tr>
<tr class="even">
<td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
<td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1709:</p>
<ul>
<li>Browser/ProvisionFavorites</li>
<li>Browser/LockdownFavorites</li>
<li>ExploitGuard/ExploitProtectionSettings</li>
<li>LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts</li>
<li>LocalPoliciesSecurityOptions/Accounts_EnableAdministratorAccountStatus</li>
@ -1398,9 +1436,22 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
<li>LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_SwitchToTheSecureDesktopWhenPromptingForElevation</li>
<li>LocalPoliciesSecurityOptions/UserAccountControl_VirtualizeFileAndRegistryWriteFailuresToPerUserLocations</li>
<li>Privacy/EnableActivityFeed</li>
<li>Privacy/PublishUserActivities</li>
</ul>
<p>Changed the name of new policy to CredentialProviders/DisableAutomaticReDeploymentCredentials from CredentialProviders/EnableWindowsAutoPilotResetCredentials.</p>
<p>Changed the names of the following policies:</p>
<ul>
<li>Defender/GuardedFoldersAllowedApplications to Defender/ControlledFolderAccessAllowedApplications</li>
<li>Defender/GuardedFoldersList to Defender/ControlledFolderAccessProtectedFolders</li>
<li>Defender/EnableGuardMyFolders to Defender/EnableControlledFolderAccess</li>
</ul>
<p>Added links to the additional [ADMX-backed BitLocker policies](policy-csp-bitlocker.md).</p>
<p>There were issues reported with the previous release of the following policies. These issues were fixed in Window 10, version 1709:</p>
<ul>
<li>Privacy/AllowAutoAcceptPairingAndPrivacyConsentPrompts</li>
<li>Start/HideAppList</li>
</ul>
</td></tr>
</tbody>
</table>
@ -2006,11 +2057,10 @@ Also Added [Firewall DDF file](firewall-ddf-file.md).</td></tr>
<li>TimeLanguageSettings/AllowSet24HourClock</li>
<li>Update/ActiveHoursMaxRange</li>
<li>Update/AutoRestartNotificationSchedule</li>
<li>Update/AutoRestartNotificationStyle</li>
<li>Update/AutoRestartRequiredNotificationDismissal</li>
<li>Update/EngagedRestartDeadline</li>
<li>Update/EngagedRestartSnoozeSchedule</li>
<li>Update/EngagedRestartTransistionSchedule</li>
<li>Update/EngagedRestartTransitionSchedule</li>
<li>Update/SetAutoRestartNotificationDisable</li>
<li>WindowsLogon/HideFastUserSwitching</li>
</ul>

34
windows/client-management/mdm/office-csp.md
View File

@ -6,11 +6,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/22/2017
---
# Office CSP
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool. For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx).
This CSP was added in Windows 10, version 1703.
@ -38,7 +41,7 @@ The following diagram shows the Office configuration service provider in tree fo
<a href="" id="install"></a>**Install**
<p style="margin-left: 20px">Installs office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">Installs Office by using the XML data specified in the configuration.xml file.
<p style="margin-left: 20px">The supported operations are Get and Execute.
@ -48,13 +51,18 @@ The following diagram shows the Office configuration service provider in tree fo
<p style="margin-left: 20px">The only supported operation is Get.
<a href="" id="currentstatus"></a>**CurrentStatus**
<p style="margin-left: 20px">Returns an XML of current Office 365 installation status on the device.
<p style="margin-left: 20px">The only supported operation is Get.
## Examples
Sample SyncML to install Office 365 Business Retail from current channel.
```syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>7</CmdID>
@ -76,7 +84,7 @@ Sample SyncML to install Office 365 Business Retail from current channel.
To uninstall the Office 365 from the system:
```syntax
<SyncML xmlns="SYNCML:SYNCML1.1">
<SyncML xmlns="SYNCML:SYNCML1.2">
<SyncBody>
<Exec>
<CmdID>7</CmdID>
@ -95,6 +103,24 @@ To uninstall the Office 365 from the system:
</SyncML>
```
To get the current status of Office 365 on the device.
``` syntax
<SyncML xmlns="SYNCML:SYNCML1.2">
  <SyncBody>
    <Get>
      <CmdID>7</CmdID>
        <Item>
          <Target>
            <LocURI>./Vendor/MSFT/Office/Installation/CurrentStatus</LocURI>
          </Target>
        </Item>
    </Get>
    <Final/>
  </SyncBody>
</SyncML>
```
## Status code
<table>

61
windows/client-management/mdm/office-ddf.md
View File

@ -7,11 +7,14 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 06/19/2017
ms.date: 08/22/2017
---
# Office DDF
> [!WARNING]
> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
This topic shows the OMA DM device description framework (DDF) for the **Office** configuration service provider. DDF files are used only with OMA DM provisioning XML.
You can download the DDF files from the links below:
@ -19,7 +22,7 @@ You can download the DDF files from the links below:
- [Download all the DDF files for Windows 10, version 1703](http://download.microsoft.com/download/C/7/C/C7C94663-44CF-4221-ABCA-BC895F42B6C2/Windows10_1703_DDF_download.zip)
- [Download all the DDF files for Windows 10, version 1607](http://download.microsoft.com/download/2/3/E/23E27D6B-6E23-4833-B143-915EDA3BDD44/Windows10_1607_DDF.zip)
The XML below is the current version for this CSP.
The XML below is for Windows 10, version 1709.
``` syntax
<?xml version="1.0" encoding="UTF-8"?>
@ -30,12 +33,12 @@ The XML below is the current version for this CSP.
<VerDTD>1.2</VerDTD>
<Node>
<NodeName>Office</NodeName>
<Path>./Vendor/MSFT</Path>
<Path>./User/Vendor/MSFT</Path>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>Root of the office CSP.</Description>
<Description>Root of the Office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -46,7 +49,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<MIME>com.microsoft/1.0/MDM/Office</MIME>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -55,7 +58,7 @@ The XML below is the current version for this CSP.
<AccessType>
<Get />
</AccessType>
<Description>Installation options for the office CSP.</Description>
<Description>Installation options for the Office CSP.</Description>
<DFFormat>
<node />
</DFFormat>
@ -100,7 +103,7 @@ The XML below is the current version for this CSP.
<Exec />
<Get />
</AccessType>
<Description>The install action will install office given the configuration in the data. The string data is the xml configuration to use in order to install office.</Description>
<Description>The install action will install Office given the configuration in the data. The string data is the xml configuration to use in order to install Office.</Description>
<DFFormat>
<chr />
</DFFormat>
@ -137,6 +140,27 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current Office 365 installation status on the machine</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
<Node>
@ -156,7 +180,7 @@ The XML below is the current version for this CSP.
<Permanent />
</Scope>
<DFType>
<DDFName></DDFName>
<MIME>com.microsoft/1.3/MDM/Office</MIME>
</DFType>
</DFProperties>
<Node>
@ -243,6 +267,27 @@ The XML below is the current version for this CSP.
</DFProperties>
</Node>
</Node>
<Node>
<NodeName>CurrentStatus</NodeName>
<DFProperties>
<AccessType>
<Get />
</AccessType>
<Description>The current Office 365 installation status on the machine</Description>
<DFFormat>
<xml />
</DFFormat>
<Occurrence>
<One />
</Occurrence>
<Scope>
<Permanent />
</Scope>
<DFType>
<MIME>text/plain</MIME>
</DFType>
</DFProperties>
</Node>
</Node>
</Node>
</MgmtTree>

24
windows/client-management/mdm/policy-configuration-service-provider.md
View File

@ -7,7 +7,7 @@ ms.topic: article
ms.prod: w10
ms.technology: windows
author: nickbrower
ms.date: 08/14/2017
ms.date: 08/25/2017
---
# Policy CSP
@ -456,6 +456,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-homepages" id="browser-homepages">Browser/HomePages</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-lockdownfavorites" id="browser-lockdownfavorites">Browser/LockdownFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-preventaccesstoaboutflagsinmicrosoftedge" id="browser-preventaccesstoaboutflagsinmicrosoftedge">Browser/PreventAccessToAboutFlagsInMicrosoftEdge</a>
</dd>
@ -474,6 +477,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-browser.md#browser-preventusinglocalhostipaddressforwebrtc" id="browser-preventusinglocalhostipaddressforwebrtc">Browser/PreventUsingLocalHostIPAddressForWebRTC</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-provisionfavorites" id="browser-provisionfavorites">Browser/ProvisionFavorites</a>
</dd>
<dd>
<a href="./policy-csp-browser.md#browser-sendintranettraffictointernetexplorer" id="browser-sendintranettraffictointernetexplorer">Browser/SendIntranetTraffictoInternetExplorer</a>
</dd>
@ -667,7 +673,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-defender.md#defender-daystoretaincleanedmalware" id="defender-daystoretaincleanedmalware">Defender/DaysToRetainCleanedMalware</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enableguardmyfolders" id="defender-enableguardmyfolders">Defender/EnableGuardMyFolders</a>
<a href="./policy-csp-defender.md#defender-enablecontrolledfolderaccess" id="defender-enablecontrolledfolderaccess">Defender/EnableControlledFolderAccess</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-enablenetworkprotection" id="defender-enablenetworkprotection">Defender/EnableNetworkProtection</a>
@ -682,10 +688,10 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-defender.md#defender-excludedprocesses" id="defender-excludedprocesses">Defender/ExcludedProcesses</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-guardedfoldersallowedapplications" id="defender-guardedfoldersallowedapplications">Defender/GuardedFoldersAllowedApplications</a>
<a href="./policy-csp-defender.md#defender-controlledfolderaccessallowedapplications" id="defender-controlledfolderaccessallowedapplications">Defender/ControlledFolderAccessAllowedApplications</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-guardedfolderslist" id="defender-guardedfolderslist">Defender/GuardedFoldersList</a>
<a href="./policy-csp-defender.md#defender-controlledfolderaccessprotectedfolders" id="defender-controlledfolderaccessprotectedfolders">Defender/ControlledFolderAccessProtectedFolders</a>
</dd>
<dd>
<a href="./policy-csp-defender.md#defender-puaprotection" id="defender-puaprotection">Defender/PUAProtection</a>
@ -1862,7 +1868,7 @@ The following diagram shows the Policy configuration service provider in tree fo
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon" id="localpoliciessecurityoptions-shutdown-allowsystemtobeshutdownwithouthavingtologon">LocalPoliciesSecurityOptions/Shutdown_AllowSystemToBeShutDownWithoutHavingToLogOn</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded" id="localpoliciessecurityoptions-tbuseraccountcontrol-runalladministratorsinadminapprovalmoded">LocalPoliciesSecurityOptions/TBUserAccountControl_RunAllAdministratorsInAdminApprovalModeD</a>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode" id="localpoliciessecurityoptions-useraccountcontrol-runalladministratorsinadminapprovalmode">LocalPoliciesSecurityOptions/UserAccountControl_RunAllAdministratorsInAdminApprovalMode</a>
</dd>
<dd>
<a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation" id="localpoliciessecurityoptions-useraccountcontrol-allowuiaccessapplicationstopromptforelevation">LocalPoliciesSecurityOptions/UserAccountControl_AllowUIAccessApplicationsToPromptForElevation</a>
@ -2023,6 +2029,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-privacy.md#privacy-disableadvertisingid" id="privacy-disableadvertisingid">Privacy/DisableAdvertisingId</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-enableactivityfeed" id="privacy-enableactivityfeed">Privacy/EnableActivityFeed</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-letappsaccessaccountinfo" id="privacy-letappsaccessaccountinfo">Privacy/LetAppsAccessAccountInfo</a>
</dd>
@ -2239,6 +2248,9 @@ The following diagram shows the Policy configuration service provider in tree fo
<dd>
<a href="./policy-csp-privacy.md#privacy-letappssyncwithdevices-userincontroloftheseapps" id="privacy-letappssyncwithdevices-userincontroloftheseapps">Privacy/LetAppsSyncWithDevices_UserInControlOfTheseApps</a>
</dd>
<dd>
<a href="./policy-csp-privacy.md#privacy-publishuseractivities" id="privacy-publishuseractivities">Privacy/PublishUserActivities</a>
</dd>
</dl>
### RemoteAssistance policies
@ -3504,6 +3516,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [DeliveryOptimization/DOPercentageMaxDownloadBandwidth](#deliveryoptimization-dopercentagemaxdownloadbandwidth)
- [Desktop/PreventUserRedirectionOfProfileFolders](#desktop-preventuserredirectionofprofilefolders)
- [DeviceGuard/AllowKernelControlFlowGuard](#deviceguard-allowkernelcontrolflowguard)
- [Privacy/EnableActivityFeed](#privacy-enableactivityfeed)
- [Privacy/LetAppsGetDiagnosticInfo](#privacy-letappsgetdiagnosticinfo)
- [Privacy/LetAppsGetDiagnosticInfo_ForceAllowTheseApps](#privacy-letappsgetdiagnosticinfo-forceallowtheseapps)
- [Privacy/LetAppsGetDiagnosticInfo_ForceDenyTheseApps](#privacy-letappsgetdiagnosticinfo-forcedenytheseapps)
@ -3512,6 +3525,7 @@ The following diagram shows the Policy configuration service provider in tree fo
- [Privacy/LetAppsRunInBackground_ForceAllowTheseApps](#privacy-letappsruninbackground-forceallowtheseapps)
- [Privacy/LetAppsRunInBackground_ForceDenyTheseApps](#privacy-letappsruninbackground-forcedenytheseapps)
- [Privacy/LetAppsRunInBackground_UserInControlOfTheseApps](#privacy-letappsruninbackground-userincontroloftheseapps)
- [Privacy/PublishUserActivities](#privacy-publishuseractivities)
- [Security/RequireProvisioningPackageSignature](#security-requireprovisioningpackagesignature)
- [Security/RequireRetrieveHealthCertificateOnBoot](#security-requireretrievehealthcertificateonboot)
- [System/AllowFontProviders](#system-allowfontproviders)

Some files were not shown because too many files have changed in this diff Show More