diff --git a/browsers/edge/microsoft-edge.yml b/browsers/edge/microsoft-edge.yml index 2b47ccaaf7..797d881911 100644 --- a/browsers/edge/microsoft-edge.yml +++ b/browsers/edge/microsoft-edge.yml @@ -1,60 +1,144 @@ -### YamlMime:YamlDocument +### YamlMime:Landing + +title: Microsoft Edge Legacy # < 60 chars +summary: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # < 160 chars -documentType: LandingData -title: Microsoft Edge metadata: - title: Microsoft Edge - description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. + title: Microsoft Edge Legacy # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. # Required; article description that is displayed in search results. < 160 chars. keywords: Microsoft Edge, issues, fixes, announcements, Windows Server, advisories + ms.prod: edge ms.localizationpriority: medium author: lizap ms.author: elizapo manager: dougkim - ms.topic: article + ms.topic: landing-page ms.devlang: na + ms.date: 08/19/2020 #Required; mm/dd/yyyy format. -sections: -- items: - - type: markdown - text: " - Find the tools and resources you need to help deploy and use Microsoft Edge in your organization. - " -- title: What's new -- items: - - type: markdown - text: " - Find out the latest and greatest news on Microsoft Edge.
- -

**The latest in Microsoft Edge**
See what's new for users and developers in the next update to Microsoft Edge - now available with the Windows 10 April 2018 update!
Find out more
**Evaluate the impact**
Review the latest Forrester Total Economic Impact (TEI) report to learn about the impact Microsoft Edge can have in your organization.
Download the reports

**Microsoft Edge for iOS and Android**
Microsoft Edge brings familiar features across your PC and phone, which allows browsing to go with you, no matter what device you use.
Learn more
**Application Guard**
Microsoft Edge with Windows Defender Application Guard is the most secure browser on Windows 10 Enterprise.
Learn more
- " -- title: Compatibility -- items: - - type: markdown - text: " - Even if you still have legacy apps in your organization, you can default to the secure, modern experience of Microsoft Edge and provide a consistent level of compatibility with existing legacy applications.
- -

**Test your site on Microsoft Edge**
Test your site on Microsoft Edge for free instantly, with remote browser testing powered by BrowserStack. You can also use the linting tool sonarwhal to assess your site's accessibility, speed, security, and more.
Test your site on Microsoft Edge for free on BrowserStack
Use sonarwhal to improve your website.
**Improve compatibility with Enterprise Mode**
With Enterprise Mode you can use Microsoft Edge as your default browser, while ensuring apps continue working on IE11.
Use Enterprise mode to improve compatibility
Turn on Enterprise Mode and use a site list
Enterprise Site List Portal
Ultimate browser strategy on Windows 10
**Web Application Compatibility Lab Kit**
The Web Application Compatibility Lab Kit is a primer for the features and techniques used to provide web application compatibility during a typical enterprise migration to Microsoft Edge.
Find out more
- " -- title: Security -- items: - - type: markdown - text: " - Microsoft Edge uses Windows Hello and Windows Defender SmartScreen to defend against phishing and malware. Take a look at some of the additional features behind the strong defense that Microsoft Edge provides against web-based attacks.
- -

**NSS Labs web browser security reports**
See the results of two global tests measuring how effective browsers are at protecting against socially engineered malware and phishing attacks.
Download the reports
**Microsoft Edge sandbox**
See how Microsoft Edge has significantly reduced the attack surface of the sandbox by configuring the app container to further reduce its privilege.
Find out more
**Windows Defender SmartScreen**
Manage your organization's computer settings with Group Policy and MDM settings to display a warning page to employees or block a site entirely.
Read the docs
- " -- title: Deployment and end user readiness -- items: - - type: markdown - text: " - Find resources and learn about features to help you deploy Microsoft Edge in your organization to get your users up and running quickly.
- -

**Deployment**
Find resources, learn about features, and get answers to commonly asked questions to help you deploy Microsoft Edge in your organization.
Microsoft Edge deployment guide
Microsoft Edge FAQ
System requirements and language support
Group Policy and MDM settings in Microsoft Edge
Download the Web Application Compatibility Lab Kit
Microsoft Edge training and demonstrations
**End user readiness**
Help your users get started on Microsoft Edge quickly and learn about features like tab management, instant access to Office files, and more.
Quick Start: Microsoft Edge (PDF, .98 MB)
Find it faster with Microsoft Edge (PDF, 605 KB)
Use Microsoft Edge to collaborate (PDF, 468 KB)
Import bookmarks
Password management
Microsoft Edge tips and tricks (video, 20:26)
- " -- title: Stay informed -- items: - - type: markdown - text: " - -

**Sign up for the Windows IT Pro Insider**
Get the latest tools, tips, and expert guidance on deployment, management, security, and more.
Learn more
**Microsoft Edge Dev blog**
Keep up with the latest browser trends, security tips, and news for IT professionals.
Read the blog
**Microsoft Edge Dev on Twitter**
Get the latest news and updates from the Microsoft Web Platform team.
Visit Twitter
- " +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | sample | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: What's new + linkLists: + - linkListType: whats-new + links: + - text: Documentation for Microsoft Edge version 77 or later + url: https://docs.microsoft.com/DeployEdge/ + - text: Microsoft Edge Legacy desktop app will reach end of support on March 9, 2021 + url: https://techcommunity.microsoft.com/t5/microsoft-365-blog/microsoft-365-apps-say-farewell-to-internet-explorer-11-and/ba-p/1591666 + - text: The latest in Microsoft Edge + url: https://blogs.windows.com/msedgedev/2018/04/30/edgehtml-17-april-2018-update/#C7jCBdbPSG6bCXHr.97 + - text: Microsoft Edge for iOS and Android + url: https://blogs.windows.com/windowsexperience/2017/11/30/microsoft-edge-now-available-for-ios-and-android + - text: Application Guard + url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview + - linkListType: download + links: + - text: Evaluate the impact + url: /microsoft-edge/deploy/microsoft-edge-forrester + + # Card (optional) + - title: Test your site on Microsoft Edge + linkLists: + - linkListType: overview + links: + - text: Test your site on Microsoft Edge for free on BrowserStack + url: https://developer.microsoft.com/microsoft-edge/tools/remote/ + - text: Use sonarwhal to improve your website + url: https://sonarwhal.com/ + + # Card (optional) + - title: Improve compatibility with Enterprise Mode + linkLists: + - linkListType: how-to-guide + links: + - text: Use Enterprise mode to improve compatibility + url: /microsoft-edge/deploy/emie-to-improve-compatibility + - text: Turn on Enterprise Mode and use a site list + url: https://docs.microsoft.com/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list + - text: Enterprise Site List Portal + url: https://github.com/MicrosoftEdge/enterprise-mode-site-list-portal + + # Card (optional) + - title: Web Application Compatibility Lab Kit + linkLists: + - linkListType: overview + links: + - text: Overview + url: /microsoft-edge/deploy/emie-to-improve-compatibility + + # Card (optional) + - title: Security + linkLists: + - linkListType: download + links: + - text: NSS Labs web browser security reports + url: https://www.microsoft.com/download/details.aspx?id=54773 + - linkListType: overview + links: + - text: Microsoft Edge sandbox + url: https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/ + - text: Windows Defender SmartScreen + url: https://docs.microsoft.com/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview + + # Card (optional) + - title: Deployment + linkLists: + - linkListType: overview + links: + - text: Microsoft Edge deployment guide + url: /microsoft-edge/deploy/ + - text: Microsoft Edge FAQ + url: /microsoft-edge/deploy/microsoft-edge-faq + - text: System requirements and language support + url: /microsoft-edge/deploy/hardware-and-software-requirements + - text: Group Policy and MDM settings in Microsoft Edge + url: /microsoft-edge/deploy/available-policies + - text: Microsoft Edge training and demonstrations + url: /microsoft-edge/deploy/edge-technical-demos + - linkListType: download + links: + - text: Web Application Compatibility Lab Kit + url: https://www.microsoft.com/itpro/microsoft-edge/web-app-compat-toolkit + + # Card (optional) + - title: End user readiness + linkLists: + - linkListType: video + links: + - text: Microsoft Edge tips and tricks (video, 20:26) + url: https://myignite.microsoft.com/sessions/56630?source=sessions + - linkListType: download + links: + - text: Quick Start - Microsoft Edge (PDF, .98 MB) + url: https://go.microsoft.com/fwlink/?linkid=825648 + - text: Find it faster with Microsoft Edge (PDF, 605 KB) + url: https://go.microsoft.com/fwlink/?linkid=825661 + - text: Use Microsoft Edge to collaborate (PDF, 468 KB) + url: https://go.microsoft.com/fwlink/?linkid=825653 + - text: Group Policy and MDM settings in Microsoft Edge + url: /microsoft-edge/deploy/available-policies + - text: Microsoft Edge training and demonstrations + url: /microsoft-edge/deploy/edge-technical-demos + - linkListType: how-to-guide + links: + - text: Import bookmarks + url: https://microsoftedgetips.microsoft.com/2/39 + - text: Password management + url: https://microsoftedgetips.microsoft.com/2/18 + + # Card (optional) + - title: Stay informed + linkLists: + - linkListType: overview + links: + - text: Sign up for the Windows IT Pro Insider + url: https://aka.ms/windows-it-pro-insider + - text: Microsoft Edge Dev blog + url: https://blogs.windows.com/msedgedev + - text: Microsoft Edge Dev on Twitter + url: https://twitter.com/MSEdgeDev diff --git a/windows/client-management/mdm/dmclient-csp.md b/windows/client-management/mdm/dmclient-csp.md index 9469f12408..6ed30e55f1 100644 --- a/windows/client-management/mdm/dmclient-csp.md +++ b/windows/client-management/mdm/dmclient-csp.md @@ -21,11 +21,15 @@ The following diagram shows the DMClient CSP in tree format. ![dmclient csp](images/provisioning-csp-dmclient-th2.png) + +**./Vendor/MSFT** +All the nodes in this CSP are supported in the device context, except for the **ExchangeID** node, which is supported in the user context. For the device context, use the **./Device/Vendor/MSFT** path and for the user context, use the **./User/Vendor/MSFT** path. + **DMClient** Root node for the CSP. **UpdateManagementServiceAddress** -For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. +For provisioning packages only. Specifies the list of servers (semicolon delimited). The first server in the semicolon-delimited list is the server that will be used to instantiate MDM sessions. The list can be a permutation or a subset of the existing server list. You cannot add new servers to the list using this node. **HWDevID** Added in Windows 10, version 1703. Returns the hardware device ID. @@ -221,7 +225,7 @@ Added in Windows 10, version 1607. Returns the hardware device ID. Supported operation is Get. **Provider/*ProviderID*/CommercialID** -Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization.. +Added in Windows 10, version 1607. Configures the identifier used to uniquely associate this diagnostic data of this device as belonging to a given organization. If your organization is participating in a program that requires this device to be identified as belonging to your organization then use this setting to provide that identification. The value for this setting will be provided by Microsoft as part of the onboarding process for the program. If you disable or do not configure this policy setting, then Microsoft will not be able to use this identifier to associate this machine and its diagnostic data with your organization. Supported operations are Add, Get, Replace, and Delete. @@ -265,7 +269,7 @@ Supported operations are Add, Delete, Get, and Replace. Value type is integer. **Provider/*ProviderID*/AADSendDeviceToken** -Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained. +Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained. Supported operations are Add, Delete, Get, and Replace. Value type is bool. diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index 9969fd5ca2..f378372d1d 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -107,7 +107,7 @@ The following table lists management options for each setting, beginning with Wi | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | -| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | @@ -217,7 +217,7 @@ See the following table for a summary of the management settings for Windows Ser | [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) | -| [28. Windows Update Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | +| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ## How to configure each setting @@ -415,7 +415,7 @@ To turn off Insider Preview builds for Windows 10: ### 8. Internet Explorer > [!NOTE] ->When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/en-us/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings: +>When attempting to use Internet Explorer on any edition of Windows Server be aware there are restrictions enforced by [Enhanced Security Configuration (ESC)](https://support.microsoft.com/help/815141/ie-enhanced-security-configuration-changes-browsing-experience). The following Group Policies and Registry Keys are for user interactive scenarios rather than the typical idle traffic scenario. Find the Internet Explorer Group Policy objects under **Computer Configuration > Administrative Templates > Windows Components > Internet Explorer** and make these settings: | Policy | Description | |------------------------------------------------------|-----------------------------------------------------------------------------------------------------| @@ -1560,7 +1560,7 @@ To turn off Messaging cloud sync: You can disable Teredo by using Group Policy or by using the netsh.exe command. For more info on Teredo, see [Internet Protocol Version 6, Teredo, and Related Technologies](https://technet.microsoft.com/library/cc722030.aspx). >[!NOTE] ->If you disable Teredo, some XBOX gaming features and Windows Update Delivery Optimization will not work. +>If you disable Teredo, some XBOX gaming features and Delivery Optimization (with Group or Internet peering) will not work. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Network** > **TCPIP Settings** > **IPv6 Transition Technologies** > **Set Teredo State** and set it to **Disabled State**. @@ -1664,7 +1664,7 @@ You can turn off **Enhanced Notifications** as follows: ### 24.1 Windows Defender SmartScreen -To disable Windows Defender Smartscreen: +To disable Windows Defender SmartScreen: In Group Policy, configure: @@ -1809,19 +1809,19 @@ You can turn off apps for websites, preventing customers who visit websites that - Create a new REG_DWORD registry setting named **EnableAppUriHandlers** in **HKEY_LOCAL_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\System** with a **value of 0 (zero)**. -### 28. Windows Update Delivery Optimization +### 28. Delivery Optimization -Windows Update Delivery Optimization lets you get Windows updates and Microsoft Store apps from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. +Delivery Optimization is the downloader of Windows updates, Microsoft Store apps, Office and other content from Microsoft. Delivery Optimization can also download from sources in addition to Microsoft, which not only helps when you have a limited or unreliable Internet connection, but can also help you reduce the amount of bandwidth needed to keep all of your organization's PCs up-to-date. If you have Delivery Optimization Peer-to-Peer option turned on, PCs on your network may send and receive updates and apps to other PCs on your local network, if you choose, or to PCs on the Internet. -By default, PCs running Windows 10 Enterprise and Windows 10 Education will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. +By default, PCs running Windows 10 will only use Delivery Optimization to get and receive updates for PCs and apps on your local network. Use the UI, Group Policy, or Registry Keys to set up Delivery Optimization. -In Windows 10 version 1607 and above you can stop network traffic related to Windows Update Delivery Optimization by setting **Download Mode** to **Bypass** (99), as described below. +In Windows 10 version 1607 and above you can stop network traffic related to Delivery Optimization Cloud Service by setting **Download Mode** to **Simple Mode** (99), as described below. ### 28.1 Settings > Update & security -You can set up Delivery Optimization from the **Settings** UI. +You can set up Delivery Optimization Peer-to-Peer from the **Settings** UI. - Go to **Settings** > **Update & security** > **Windows Update** > **Advanced options** > **Choose how updates are delivered**. @@ -1837,9 +1837,12 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con | Max Cache Size | Lets you specify the maximum cache size as a percentage of disk size.
The default value is 20, which represents 20% of the disk.| | Max Upload Bandwidth | Lets you specify the maximum upload bandwidth (in KB/second) that a device uses across all concurrent upload activity.
The default value is 0, which means unlimited possible bandwidth.| + +For a comprehensive list of Delivery Optimization Policies, see [Delivery Optimization Reference](https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization-reference). + ### 28.3 Delivery Optimization -- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Bypass"** to prevent traffic. +- **Enable** the **Download Mode** Group Policy under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Delivery Optimization** and set the **Download Mode** to **"Simple Mode (99)"** to prevent traffic between peers as well as traffic back to the Delivery Optimization Cloud Service. -or- @@ -1848,6 +1851,9 @@ You can find the Delivery Optimization Group Policy objects under **Computer Con For more info about Delivery Optimization in general, see [Windows Update Delivery Optimization: FAQ](https://go.microsoft.com/fwlink/p/?LinkId=730684). +For IT Professionals, information about Delivery Optimization is available here: [Delivery Optimization for Windows 10 updates] +(https://docs.microsoft.com/windows/deployment/update/waas-delivery-optimization). + ### 29. Windows Update You can turn off Windows Update by setting the following registry entries: diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md index 73e8b956b7..73e002c7c2 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md @@ -27,7 +27,7 @@ ms.reviewer: ## Provisioning The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop. Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**. -![Event358](images/Event358.png) +![Event358](images/Event358-2.png) The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears. Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**. diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md index d8eb2ac3ed..9103431811 100644 --- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md +++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md @@ -1,6 +1,6 @@ --- title: Configure Hybrid Windows Hello for Business key trust Settings -description: Configuring Windows Hello for Business settings in hybrid key trust deployment. +description: Begin the process of configuring your hybrid key trust environment for Windows Hello for Business. Start with your Active Directory configuration. keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md index 6a70672f7a..5d10205e13 100644 --- a/windows/security/identity-protection/hello-for-business/hello-overview.md +++ b/windows/security/identity-protection/hello-for-business/hello-overview.md @@ -1,7 +1,7 @@ --- title: Windows Hello for Business Overview (Windows 10) ms.reviewer: An overview of Windows Hello for Business -description: An overview of Windows Hello for Business +description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md index c3acaa98e3..3fff407e34 100644 --- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md +++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md @@ -1,6 +1,6 @@ --- title: Planning a Windows Hello for Business Deployment -description: A guide to planning a Windows Hello for Business deployment +description: Learn about the role of each component within Windows Hello for Business and how certain deployment decisions affect other aspects of your infrastructure. keywords: identity, PIN, biometric, Hello, passport ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md index 00eddf6eee..c53586ff18 100644 --- a/windows/security/identity-protection/hello-for-business/hello-videos.md +++ b/windows/security/identity-protection/hello-for-business/hello-videos.md @@ -1,6 +1,6 @@ --- title: Windows Hello for Business Videos -description: Windows Hello for Business Videos +description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/hello-for-business/images/event358-2.png b/windows/security/identity-protection/hello-for-business/images/event358-2.png new file mode 100644 index 0000000000..53fd554323 Binary files /dev/null and b/windows/security/identity-protection/hello-for-business/images/event358-2.png differ diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md index 57238c3214..dd1b6b18e0 100644 --- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md +++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md @@ -1,6 +1,6 @@ --- title: Passwordless Strategy -description: Reducing Password Usage Surface +description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10. keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md index 22355b9383..6b9868b0f0 100644 --- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md +++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md @@ -1,6 +1,6 @@ --- title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10) -description: Explains how to secure VPN connections for Diffie Hellman Group 2 +description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md index 9f6f6fa2a5..3fe2c08d57 100644 --- a/windows/security/identity-protection/vpn/vpn-authentication.md +++ b/windows/security/identity-protection/vpn/vpn-authentication.md @@ -1,6 +1,6 @@ --- title: VPN authentication options (Windows 10) -description: tbd +description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md index 09ca26d20e..29c8f5e474 100644 --- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md +++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md @@ -1,6 +1,6 @@ --- title: VPN auto-triggered profile options (Windows 10) -description: tbd +description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library @@ -61,13 +61,15 @@ When the trigger occurs, VPN tries to connect. If an error occurs or any user in When a device has multiple profiles with Always On triggers, the user can specify the active profile in **Settings** > **Network & Internet** > **VPN** > *VPN profile* by selecting the **Let apps automatically use this VPN connection** checkbox. By default, the first MDM-configured profile is marked as **Active**. Devices with multiple users have the same restriction: only one profile and therefore only one user will be able to use the Always On triggers. -Preserving user Always On preference +## Preserving user Always On preference -Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value AutoTriggerDisabledProfilesList. -Should a management tool remove/add the same profile name back and set AlwaysOn to true, Windows will not check the box if the profile name exists in the below registry value in order to preserve user preference. -Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config -Value: AutoTriggerDisabledProfilesList -Type: REG_MULTI_SZ +Windows has a feature to preserve a user’s AlwaysOn preference. In the event that a user manually unchecks the “Connect automatically” checkbox, Windows will remember this user preference for this profile name by adding the profile name to the value **AutoTriggerDisabledProfilesList**. + +Should a management tool remove or add the same profile name back and set **AlwaysOn** to **true**, Windows will not check the box if the profile name exists in the following registry value in order to preserve user preference. + +**Key:** HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Config
+**Value:** AutoTriggerDisabledProfilesList
+**Type:** REG_MULTI_SZ ## Trusted network detection diff --git a/windows/security/identity-protection/vpn/vpn-guide.md b/windows/security/identity-protection/vpn/vpn-guide.md index c72139b6db..cb543ad1cd 100644 --- a/windows/security/identity-protection/vpn/vpn-guide.md +++ b/windows/security/identity-protection/vpn/vpn-guide.md @@ -1,6 +1,6 @@ --- title: Windows 10 VPN technical guide (Windows 10) -description: Use this guide to configure VPN deployment for Windows 10. +description: Learn about decisions to make for Windows 10 clients in your enterprise VPN solution and how to configure your deployment. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md index 5c277ef964..6ff26370e3 100644 --- a/windows/security/identity-protection/vpn/vpn-name-resolution.md +++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md @@ -1,6 +1,6 @@ --- title: VPN name resolution (Windows 10) -description: tbd +description: Learn how the name resolution setting in the VPN profile configures how name resolution works when a VPN client connects to a VPN server. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md index c8ce525e53..416bc57d04 100644 --- a/windows/security/identity-protection/vpn/vpn-routing.md +++ b/windows/security/identity-protection/vpn/vpn-routing.md @@ -1,6 +1,6 @@ --- title: VPN routing decisions (Windows 10) -description: tbd +description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md index 0ac0b47d38..d8f4768540 100644 --- a/windows/security/identity-protection/vpn/vpn-security-features.md +++ b/windows/security/identity-protection/vpn/vpn-security-features.md @@ -1,6 +1,6 @@ --- title: VPN security features (Windows 10) -description: tbd +description: Learn about security features for VPN, including LockDown VPN, Windows Information Protection integration with VPN, and traffic filters. ms.prod: w10 ms.mktglfcycl: deploy ms.sitesec: library diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md index 21fcd6cdfd..78eb7b7715 100644 --- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md +++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md @@ -1,6 +1,6 @@ --- title: BitLocker Management Recommendations for Enterprises (Windows 10) -description: This topic explains recommendations for managing BitLocker. +description: Refer to relevant documentation, products, and services to learn about managing BitLocker for enterprises and see recommendations for different computers. ms.prod: w10 ms.mktglfcycl: explore ms.sitesec: library diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md index 6ea046a8f3..2d8554f52b 100644 --- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md +++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md @@ -84,11 +84,15 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if 1. Launch MSINFO32.exe in a command prompt, or in the Windows search bar. 2. Check the value of **Kernel DMA Protection**. ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png) -3. If the current state of **Kernel DMA Protection** is OFF and **Virtualization Technology in Firmware** is NO: +3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO: - Reboot into BIOS settings - Turn on Intel Virtualization Technology. - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md). - Reboot system into Windows 10. + +>[!NOTE] +> **Hyper-V - Virtualization Enabled in Firmware** is NOT shown when **A hypervisor has been detected. Features required for Hyper-V will not be displayed.** is shown because this means that **Hyper-V - Virtualization Enabled in Firmware** is YES. + 4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection. diff --git a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md index b062a6e72b..505da9bbb0 100644 --- a/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md +++ b/windows/security/threat-protection/auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md @@ -1,6 +1,6 @@ --- title: Appendix A, Security monitoring recommendations for many audit events (Windows 10) -description: Appendix A, Security monitoring recommendations for many audit events +description: Learn about recommendations for the type of monitoring required for certain classes of security audit events. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md index f6d870f605..9adb4cfd74 100644 --- a/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md +++ b/windows/security/threat-protection/auditing/audit-other-privilege-use-events.md @@ -1,6 +1,6 @@ --- title: Audit Other Privilege Use Events (Windows 10) -description: This security policy setting is not used. +description: Learn about the audit other privilege use events, an auditing subcategory that should not have any events in it but enables generation of event 4985(S). ms.assetid: 5f7f5b25-42a6-499f-8aa2-01ac79a2a63c ms.reviewer: manager: dansimp diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md index 1e73acf50d..3856637432 100644 --- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md +++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md @@ -1,6 +1,6 @@ --- title: Basic security audit policies (Windows 10) -description: Before you implement auditing, you must decide on an auditing policy. +description: Learn about basic security audit policies that specify the categories of security-related events that you want to audit for the needs of your organization. ms.assetid: 3B678568-7AD7-4734-9BB4-53CF5E04E1D3 ms.reviewer: ms.author: dansimp diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md index 22a7d07d71..5f0730407d 100644 --- a/windows/security/threat-protection/auditing/event-4608.md +++ b/windows/security/threat-protection/auditing/event-4608.md @@ -1,6 +1,6 @@ --- title: 4608(S) Windows is starting up. (Windows 10) -description: Describes security event 4608(S) Windows is starting up. +description: Describes security event 4608(S) Windows is starting up. This event is logged when the LSASS.EXE process starts and the auditing subsystem is initialized. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4608 illustration +Event 4608 illustration ***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) @@ -30,12 +30,13 @@ This event is logged when LSASS.EXE process starts and the auditing subsystem is It typically generates during operating system startup process. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md index 9231f28b82..0490e0ae3e 100644 --- a/windows/security/threat-protection/auditing/event-4615.md +++ b/windows/security/threat-protection/auditing/event-4615.md @@ -1,6 +1,6 @@ --- title: 4615(S) Invalid use of LPC port. (Windows 10) -description: Describes security event 4615(S) Invalid use of LPC port. +description: Describes security event 4615(S) Invalid use of LPC port. It appears that the Invalid use of LPC port event never occurs. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md index 8681a67e8f..3f700f0719 100644 --- a/windows/security/threat-protection/auditing/event-4616.md +++ b/windows/security/threat-protection/auditing/event-4616.md @@ -1,6 +1,6 @@ --- title: 4616(S) The system time was changed. (Windows 10) -description: Describes security event 4616(S) The system time was changed. +description: Describes security event 4616(S) The system time was changed. This event is generated every time system time is changed. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4616 illustration +Event 4616 illustration ***Subcategory:*** [Audit Security State Change](audit-security-state-change.md) @@ -32,12 +32,13 @@ This event is always logged regardless of the "Audit Security State Change" sub- You will typically see these events with “**Subject\\Security ID**” = “**LOCAL SERVICE**”, these are normal time correction actions. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - @@ -87,7 +88,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L - **Security ID** \[Type = SID\]**:** SID of account that requested the “change system time” operation. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that requested the “change system time” operation. @@ -161,7 +163,8 @@ You will typically see these events with “**Subject\\Security ID**” = “**L For 4616(S): The system time was changed. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). +> [!IMPORTANT] +> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - Report all “**Subject\\Security ID**” not equals **“LOCAL SERVICE”**, which means that the time change was not made not by Windows Time service. diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md index 08fcff8219..84cf52d450 100644 --- a/windows/security/threat-protection/auditing/event-4625.md +++ b/windows/security/threat-protection/auditing/event-4625.md @@ -1,6 +1,6 @@ --- title: 4625(F) An account failed to log on. (Windows 10) -description: Describes security event 4625(F) An account failed to log on. +description: Describes security event 4625(F) An account failed to log on. This event is generated if an account logon attempt failed for a locked out account. ms.pagetype: security ms.prod: w10 ms.mktglfcycl: deploy @@ -20,7 +20,7 @@ ms.author: dansimp - Windows Server 2016 -Event 4625 illustration +Event 4625 illustration ***Subcategories:*** [Audit Account Lockout](audit-account-lockout.md) and [Audit Logon](audit-logon.md) @@ -32,12 +32,13 @@ It generates on the computer where logon attempt was made, for example, if logon This event generates on domain controllers, member servers, and workstations. -> **Note**  For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event. +> [!NOTE] +> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:*** -``` +```xml - - @@ -93,7 +94,8 @@ This event generates on domain controllers, member servers, and workstations. - **Security ID** \[Type = SID\]**:** SID of account that reported information about logon failure. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that reported information about logon failure. @@ -109,27 +111,30 @@ This event generates on domain controllers, member servers, and workstations. - For local user accounts, this field will contain the name of the computer or device that this account belongs to, for example: “Win81”. -**Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. +- **Logon Type** \[Type = UInt32\]**:** the type of logon which was performed. “Table 11. Windows Logon Types” contains the list of possible values for this field. -| Logon Type | Logon Title | Description | -|-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 2 | Interactive | A user logged on to this computer. | -| 3 | Network | A user or computer logged on to this computer from the network. | -| 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | -| 5 | Service | A service was started by the Service Control Manager. | -| 7 | Unlock | This workstation was unlocked. | -| 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | -| 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | -| 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | -| 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | -> Table: Windows Logon Types + **Table 11: Windows Logon Types** + + | Logon Type | Logon Title | Description | + |-----------------------------------------------------------------|-------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | 2 | Interactive | A user logged on to this computer. | + | 3 | Network | A user or computer logged on to this computer from the network. | + | 4 | Batch | Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention. | + | 5 | Service | A service was started by the Service Control Manager. | + | 7 | Unlock | This workstation was unlocked. | + | 8 | NetworkCleartext | A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext). | + | 9 | NewCredentials | A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections. | + | 10 | RemoteInteractive | A user logged on to this computer remotely using Terminal Services or Remote Desktop. | + | 11 | CachedInteractive | A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials. | + **Account For Which Logon Failed:** - **Security ID** \[Type = SID\]**:** SID of the account that was specified in the logon attempt. Event Viewer automatically tries to resolve SIDs and show the account name. If the SID cannot be resolved, you will see the source data in the event. -> **Note**  A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). + > [!NOTE] + > A **security identifier (SID)** is a unique value of variable length used to identify a trustee (security principal). Each account has a unique SID that is issued by an authority, such as an Active Directory domain controller, and stored in a security database. Each time a user logs on, the system retrieves the SID for that user from the database and places it in the access token for that user. The system uses the SID in the access token to identify the user in all subsequent interactions with Windows security. When a SID has been used as the unique identifier for a user or group, it cannot ever be used again to identify another user or group. For more information about SIDs, see [Security identifiers](/windows/access-protection/access-control/security-identifiers). - **Account Name** \[Type = UnicodeString\]**:** the name of the account that was specified in the logon attempt. @@ -151,35 +156,36 @@ This event generates on domain controllers, member servers, and workstations. - **Failure Reason** \[Type = UnicodeString\]**:** textual explanation of **Status** field value. For this event it typically has “**Account locked out**” value. -- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in “Table 12. Windows logon status codes.” +- **Status** \[Type = HexInt32\]**:** the reason why logon failed. For this event it typically has “**0xC0000234**” value. The most common status codes are listed in Table 12. Windows logon status codes. -| Status\\Sub-Status Code | Description | -|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| 0XC000005E | There are currently no logon servers available to service the logon request. | -| 0xC0000064 | User logon with misspelled or bad user account | -| 0xC000006A | User logon with misspelled or bad password | -| 0XC000006D | This is either due to a bad username or authentication information | -| 0XC000006E | Unknown user name or bad password. | -| 0xC000006F | User logon outside authorized hours | -| 0xC0000070 | User logon from unauthorized workstation | -| 0xC0000071 | User logon with expired password | -| 0xC0000072 | User logon to account disabled by administrator | -| 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. | -| 0XC0000133 | Clocks between DC and other computer too far out of sync | -| 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine | -| 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. | -| 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. | -| 0xC0000193 | User logon with expired account | -| 0XC0000224 | User is required to change password at next logon | -| 0XC0000225 | Evidently a bug in Windows and not a risk | -| 0xC0000234 | User logon with account locked | -| 0XC00002EE | Failure Reason: An Error occurred during Logon | -| 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. | -| 0x0 | Status OK. | + **Table 12: Windows logon status codes.** -> Table: Windows logon status codes. -> -> **Note**  To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. + | Status\\Sub-Status Code | Description | + |-------------------------|------------------------------------------------------------------------------------------------------| + | 0XC000005E | There are currently no logon servers available to service the logon request. | + | 0xC0000064 | User logon with misspelled or bad user account | + | 0xC000006A | User logon with misspelled or bad password | + | 0XC000006D | This is either due to a bad username or authentication information | + | 0XC000006E | Unknown user name or bad password. | + | 0xC000006F | User logon outside authorized hours | + | 0xC0000070 | User logon from unauthorized workstation | + | 0xC0000071 | User logon with expired password | + | 0xC0000072 | User logon to account disabled by administrator | + | 0XC00000DC | Indicates the Sam Server was in the wrong state to perform the desired operation. | + | 0XC0000133 | Clocks between DC and other computer too far out of sync | + | 0XC000015B | The user has not been granted the requested logon type (aka logon right) at this machine | + | 0XC000018C | The logon request failed because the trust relationship between the primary domain and the trusted domain failed. | + | 0XC0000192 | An attempt was made to logon, but the N**etlogon** service was not started. | + | 0xC0000193 | User logon with expired account | + | 0XC0000224 | User is required to change password at next logon | + | 0XC0000225 | Evidently a bug in Windows and not a risk | + | 0xC0000234 | User logon with account locked | + | 0XC00002EE | Failure Reason: An Error occurred during Logon | + | 0XC0000413 | Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine. | + | 0x0 | Status OK. | + +> [!NOTE] +> To see the meaning of other status\\sub-status codes you may also check for status code in the Window header file ntstatus.h in Windows SDK. More information: @@ -187,7 +193,7 @@ More information: **Process Information:** -- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column): +- **Caller Process ID** \[Type = Pointer\]: hexadecimal Process ID of the process that attempted the logon. Process ID (PID) is a number used by the operating system to uniquely identify an active process. To see the PID for a specific process you can, for example, use Task Manager (Details tab, PID column):

Task manager illustration @@ -241,7 +247,8 @@ More information: For 4625(F): An account failed to log on. -> **Important**  For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). +> [!IMPORTANT] +> For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md). - If you have a pre-defined “**Process Name**” for the process reported in this event, monitor all events with “**Process Name**” not equal to your defined value. @@ -277,17 +284,17 @@ For 4625(F): An account failed to log on. - Monitor for all events with the fields and values in the following table: -| **Field** | Value to monitor for | -|----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | -| **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | + | **Field** | Value to monitor for | + |----------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000005E – “There are currently no logon servers available to service the logon request.”
This is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000064 – “User logon with misspelled or bad user account”.
Especially if you get a number of these in a row, it can be a sign of user enumeration attack. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006A – “User logon with misspelled or bad password” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000006D – “This is either due to a bad username or authentication information” for critical accounts or service accounts.
Especially watch for a number of such events in a row. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC000006F – “User logon outside authorized hours”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000070 – “User logon from unauthorized workstation”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000072 – “User logon to account disabled by administrator”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC000015B – “The user has not been granted the requested logon type (aka logon right) at this machine”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000192 – “An attempt was made to logon, but the Netlogon service was not started”.
This is typically not a security issue but it can be an infrastructure or availability issue. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0xC0000193 – “User logon with expired account”. | + | **Failure Information\\Status** or
**Failure Information\\Sub Status** | 0XC0000413 – “Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine”. | diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md index 8f16436956..200a5cd47a 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md @@ -13,6 +13,7 @@ ms.author: deniseb ms.custom: nextgen ms.reviewer: manager: dansimp +ms.date: 08/26/2020 --- # Microsoft Defender Antivirus compatibility @@ -26,7 +27,7 @@ manager: dansimp Microsoft Defender Antivirus is automatically enabled and installed on endpoints and devices that are running Windows 10. But what happens when another antivirus/antimalware solution is used? It depends on whether you're using [Microsoft Defender ATP](https://docs.microsoft.com/windows/security/threat-protection) together with your antivirus protection. - If your organization's endpoints and devices are protected with a non-Microsoft antivirus/antimalware solution, and Microsoft Defender ATP is not used, then Microsoft Defender Antivirus automatically goes into disabled mode. - If your organization is using Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) together with a non-Microsoft antivirus/antimalware solution, then Microsoft Defender Antivirus automatically goes into passive mode. (Real-time protection and threats are not remediated by Microsoft Defender Antivirus.) -- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in private preview) enabled, then Microsoft Defender Antivirus runs in the background and blocks/remediates malicious items that are detected, such as during a post-breach attack. +- If your organization is using Microsoft Defender ATP together with a non-Microsoft antivirus/antimalware solution, and you have [EDR in block mode](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode) (currently in preview) enabled, then whenever a malicious artifact is detected, Microsoft Defender ATP takes action to block and remediate the artifact. ## Antivirus and Microsoft Defender ATP diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md index 18707f606c..a25c911a4f 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md +++ b/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet.md @@ -150,7 +150,7 @@ Microsoft Defender ATP is built on Azure cloud, deployed in the following region - \+\ - \+\ -You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/en-us/download/details.aspx?id=41653). +You can find the Azure IP range on [Microsoft Azure Datacenter IP Ranges](https://www.microsoft.com/download/details.aspx?id=56519). > [!NOTE] > As a cloud-based solution, the IP range can change. It's recommended you move to DNS resolving setting. diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index 7367f5ccb6..c82f6bfdb6 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -30,36 +30,31 @@ If you can reproduce a problem, increase the logging level, run the system for s 1. Increase logging level: ```bash - mdatp --log-level verbose + mdatp log level set --level verbose ``` ```Output - Creating connection to daemon - Connection established - Operation succeeded + Log level configured successfully ``` 2. Reproduce the problem -3. Run `sudo mdatp --diagnostic --create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. +3. Run `sudo mdatp diagnostic create` to back up Microsoft Defender ATP's logs. The files will be stored inside a .zip archive. This command will also print out the file path to the backup after the operation succeeds. ```bash - sudo mdatp --diagnostic --create + sudo mdatp diagnostic create ``` ```Output - Creating connection to daemon - Connection established + Diagnostic file created: "/Library/Application Support/Microsoft/Defender/wdavdiag/932e68a8-8f2e-4ad0-a7f2-65eb97c0de01.zip" ``` 4. Restore logging level: ```bash - mdatp --log-level info + mdatp log level set --level info ``` ```Output - Creating connection to daemon - Connection established - Operation succeeded + Log level configured successfully ``` ## Logging installation issues @@ -85,30 +80,32 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Note that wh Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line: -|Group |Scenario |Command | -|-------------|-------------------------------------------|-----------------------------------------------------------------------| -|Configuration|Turn on/off real-time protection |`mdatp --config realTimeProtectionEnabled [true/false]` | -|Configuration|Turn on/off cloud protection |`mdatp --config cloudEnabled [true/false]` | -|Configuration|Turn on/off product diagnostics |`mdatp --config cloudDiagnosticEnabled [true/false]` | -|Configuration|Turn on/off automatic sample submission |`mdatp --config cloudAutomaticSampleSubmission [true/false]` | -|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | -|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | -|Configuration|List all allowed threat names |`mdatp threat allowed list` | -|Configuration|Turn on PUA protection |`mdatp --threat --type-handling potentially_unwanted_application block`| -|Configuration|Turn off PUA protection |`mdatp --threat --type-handling potentially_unwanted_application off` | -|Configuration|Turn on audit mode for PUA protection |`mdatp --threat --type-handling potentially_unwanted_application audit`| -|Configuration|Turn on/off passiveMode |`mdatp --config passiveMode [on/off]` | -|Diagnostics |Change the log level |`mdatp --log-level [error/warning/info/verbose]` | -|Diagnostics |Generate diagnostic logs |`mdatp --diagnostic --create` | -|Health |Check the product's health |`mdatp --health` | -|Protection |Scan a path |`mdatp --scan --path [path]` | -|Protection |Do a quick scan |`mdatp --scan --quick` | -|Protection |Do a full scan |`mdatp --scan --full` | -|Protection |Cancel an ongoing on-demand scan |`mdatp --scan --cancel` | -|Protection |Request a security intelligence update |`mdatp --definition-update` | -|EDR |Turn on/off EDR preview for Mac |`mdatp --edr --early-preview [true/false]` OR `mdatp --edr --earlyPreview [true/false]` for versions earlier than 100.78.0 | -|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | -|EDR |Remove group tag from device |`mdatp --edr --remove-tag [name]` | +|Group |Scenario |Command | +|-------------|-------------------------------------------|----------------------------------------------------------------------------------| +|Configuration|Turn on/off real-time protection |`mdatp config real-time-protection [enabled/disabled]` | +|Configuration|Turn on/off cloud protection |`mdatp config cloud --value [enabled/disabled]` | +|Configuration|Turn on/off product diagnostics |`mdatp config cloud-diagnostic --value [enabled/disabled]` | +|Configuration|Turn on/off automatic sample submission |`mdatp config cloud-automatic-sample-submission --value [enabled/disabled]` | +|Configuration|Add a threat name to the allowed list |`mdatp threat allowed add --name [threat-name]` | +|Configuration|Remove a threat name from the allowed list |`mdatp threat allowed remove --name [threat-name]` | +|Configuration|List all allowed threat names |`mdatp threat allowed list` | +|Configuration|Turn on PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action block` | +|Configuration|Turn off PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action off` | +|Configuration|Turn on audit mode for PUA protection |`mdatp threat policy set --type potentially_unwanted_application -- action audit` | +|Configuration|Turn on/off passiveMode |`mdatp config passive-mode --value enabled [enabled/disabled]` | +|Diagnostics |Change the log level |`mdatp log level set --level [error/warning/info/verbose]` | +|Diagnostics |Generate diagnostic logs |`mdatp diagnostic create` | +|Health |Check the product's health |`mdatp health` | +|Health |Check for a spefic product attribute |`mdatp health --field [attribute: healthy/licensed/engine_version...]` | +|Protection |Scan a path |`mdatp scan custom --path [path]` | +|Protection |Do a quick scan |`mdatp scan quick` | +|Protection |Do a full scan |`mdatp scan full` | +|Protection |Cancel an ongoing on-demand scan |`mdatp scan cancel` | +|Protection |Request a security intelligence update |`mdatp definitions update` | +|EDR |Turn on/off EDR preview for Mac |`mdatp edr early-preview [enabled/disabled]` | +|EDR |Add group tag to device. EDR tags are used for managing device groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp edr tag set --name GROUP --value [name]` | +|EDR |Remove group tag from device |`mdatp edr tag remove --tag-name [name]` | +|EDR |Add Group Id |`mdatp edr group-ids --group-id [group]` | ### How to enable autocompletion