mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-23 22:33:41 +00:00
Merge branch 'main' into pm-20221228-whatsnew-fix
This commit is contained in:
Paolo Matarazzo
GitHub
@ -94,7 +94,7 @@ sections:
|
||||
|
||||
- question: Can I use a convenience PIN with Azure Active Directory?
|
||||
answer: |
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. Convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
It's currently possible to set a convenience PIN on Azure Active Directory Joined or Hybrid Active Directory Joined devices. However, convenience PIN isn't supported for Azure Active Directory user accounts (synchronized identities included). It's only supported for on-premises Domain Joined users and local account users.
|
||||
|
||||
- question: Can I use an external Windows Hello compatible camera when my computer has a built-in Windows Hello compatible camera?
|
||||
answer: |
|
||||
|
||||
@ -35,6 +35,11 @@ Starting with Windows 10 version 1703, the enablement of BitLocker can be trigge
|
||||
|
||||
For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if necessary. For older devices that aren't yet encrypted, beginning with Windows 10 version 1703, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD. This process and feature is applicable to Azure Hybrid AD as well.
|
||||
|
||||
> [!NOTE]
|
||||
> To manage Bitlocker, except to enable and disable it, one of the following licenses must be assigned to your users:
|
||||
> - Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, and E5).
|
||||
> - Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 and A5).
|
||||
|
||||
## Managing workplace-joined PCs and phones
|
||||
|
||||
For Windows PCs and Windows Phones that are enrolled using **Connect to work or school account**, BitLocker Device Encryption is managed over MDM, the same as devices joined to Azure AD.
|
||||
|
||||
@ -48,11 +48,11 @@ ms.date: 12/13/2022
|
||||
|
||||
- [Windows Error Reporting (WER) disabled/User-mode crash dumps disabled](/windows/client-management/mdm/policy-csp-errorreporting#errorreporting-disablewindowserrorreporting)
|
||||
|
||||
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
|
||||
Disabling Windows Error Reporting prevents user-mode crash dumps. User-mode crash dumps can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable user-mode crash dumps. For more information on disabling crash dumps via Intune, see [Disable Windows Error Reporting (WER)/Disable user-mode crash dumps](configure-pde-in-intune.md#disable-windows-error-reporting-werdisable-user-mode-crash-dumps).
|
||||
|
||||
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
|
||||
|
||||
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
Hibernation files can potentially cause the keys used by PDE to protect content to be exposed. For greatest security, disable hibernation. For more information on disabling crash dumps via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
|
||||
- [Allowing users to select when a password is required when resuming from connected standby disabled](/windows/client-management/mdm/policy-csp-admx-credentialproviders#admx-credentialproviders-allowdomaindelaylock)
|
||||
|
||||
|
||||
@ -20,8 +20,9 @@ ms.date: 12/31/2017
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
- Windows Server 2022
|
||||
- Windows Server 2019
|
||||
- Windows Server 2016
|
||||
|
||||
This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
|
||||
|
||||
@ -74,15 +75,14 @@ Some things that you can check on the device are:
|
||||
- Is SecureBoot supported and enabled?
|
||||
|
||||
> [!NOTE]
|
||||
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1). TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
> Windows 11, Windows 10, Windows Server 2016, and Windows Server 2019 support Device Health Attestation with TPM 2.0. Support for TPM 1.2 was added beginning with Windows 10, version 1607. TPM 2.0 requires UEFI firmware. A computer with legacy BIOS and TPM 2.0 won't work as expected.
|
||||
|
||||
## Supported versions for device health attestation
|
||||
|
||||
| TPM version | Windows 11 | Windows 10 | Windows Server 2016 | Windows Server 2019 |
|
||||
|-------------|-------------|-------------|---------------------|---------------------|
|
||||
| TPM 1.2 | | >= ver 1607 | >= ver 1607 | Yes |
|
||||
| TPM 2.0 | Yes | Yes | Yes | Yes |
|
||||
|
||||
| TPM version | Windows 11 | Windows 10 | Windows Server 2022 | Windows Server 2019 | Windows Server 2016 |
|
||||
|-------------|-------------|-------------|---------------------|---------------------|---------------------|
|
||||
| TPM 1.2 | | >= ver 1607 | | Yes | >= ver 1607 |
|
||||
| TPM 2.0 | **Yes** | **Yes** | **Yes** | **Yes** | **Yes** |
|
||||
|
||||
## Related topics
|
||||
|
||||
|
||||
@ -171,4 +171,8 @@ Resource SACLs are also useful for diagnostic scenarios. For example, administra
|
||||
|
||||
This category includes the following subcategories:
|
||||
- [File System (Global Object Access Auditing)](file-system-global-object-access-auditing.md)
|
||||
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
|
||||
- [Registry (Global Object Access Auditing)](registry-global-object-access-auditing.md)
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
|
||||
|
||||
@ -38,6 +38,6 @@ Basic security audit policy settings are found under Computer Configuration\\Win
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Basic security audit policy settings](basic-security-audit-policy-settings.md)
|
||||
- [Advanced security audit policy settings](advanced-security-audit-policy-settings.md)
|
||||
|
||||
|
||||
|
||||
@ -158,15 +158,15 @@ This event generates only if Success auditing is enabled for the [Audit Handle M
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same the **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
- **Transaction ID** \[Type = GUID\]: unique GUID of the transaction. This field can help you correlate this event with other events that might contain the same **Transaction ID**, such as “[4660](event-4660.md)(S): An object was deleted.”
|
||||
|
||||
This parameter might not be captured in the event, and in that case appears as “{00000000-0000-0000-0000-000000000000}”.
|
||||
|
||||
> **Note** **GUID** is an acronym for 'Globally Unique Identifier'. It is a 128-bit integer number used to identify resources, activities or instances.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about SAM object access right use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Privileges Used for Access Check** \[Type = UnicodeString\]: the list of user privileges which were used during the operation, for example, SeBackupPrivilege. This parameter might not be captured in the event, and in that case appears as “-”. See full list of user privileges in the table below:
|
||||
|
||||
@ -218,4 +218,4 @@ For 4661(S, F): A handle to an object was requested.
|
||||
|
||||
> **Important** For this event, also see [Appendix A: Security monitoring recommendations for many audit events](appendix-a-security-monitoring-recommendations-for-many-audit-events.md).
|
||||
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
- You can get almost the same information from “[4662](event-4662.md): An operation was performed on an object.” There are no additional recommendations for this event in this document.
|
||||
|
||||
@ -126,12 +126,12 @@ These events are generated for [ALPC Ports](/windows/win32/etw/alpc) access requ
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. “Table 13. File access codes.” contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights which were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) contains information about the most common access rights for file system objects. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. See “Table 13. File access codes.” for more information about file access rights. For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
- **Access Mask** \[Type = HexInt32\]: hexadecimal mask for the operation that was requested or performed. For more information about file access rights, see [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes). For information about ALPC ports access rights, use <https://technet.microsoft.com/> or other informational resources.
|
||||
|
||||
## Security Monitoring Recommendations
|
||||
|
||||
For 4691(S): Indirect access to an object was requested.
|
||||
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
- Typically this event has little to no security relevance and is hard to parse or analyze. There is no recommendation for this event, unless you know exactly what you need to monitor with ALPC Ports.
|
||||
|
||||
@ -133,7 +133,7 @@ This event generates once per session, when first access attempt was made.
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights. Has always “**0x1**” value for this event.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights. It always has “**0x1**” value for this event.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**. Has always “**ReadData (or ListDirectory)**” value for this event.
|
||||
|
||||
|
||||
@ -135,7 +135,7 @@ This event generates every time network share object (file or folder) was access
|
||||
|
||||
**Access Request Information:**
|
||||
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See “Table 13. File access codes.” for different hexadecimal values for access rights.
|
||||
- **Access Mask** \[Type = HexInt32\]: the sum of hexadecimal values of requested access rights. See [Table of file access codes](/windows/security/threat-protection/auditing/event-5145#table-of-file-access-codes) for different hexadecimal values for access rights.
|
||||
|
||||
- **Accesses** \[Type = UnicodeString\]: the list of access rights that were requested by **Subject\\Security ID**. These access rights depend on **Object Type**.
|
||||
|
||||
@ -319,4 +319,4 @@ For 5145(S, F): A network share object was checked to see whether client can be
|
||||
|
||||
- WRITE\_DAC
|
||||
|
||||
- WRITE\_OWNER
|
||||
- WRITE\_OWNER
|
||||
|
||||
@ -82,7 +82,7 @@ Application Guard functionality is turned off by default. However, you can quick
|
||||
3. Type the following command:
|
||||
|
||||
```
|
||||
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
|
||||
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
|
||||
```
|
||||
4. Restart the device.
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Account lockout duration
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout duration** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Account Lockout Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the Account Lockout Policy settings and links to information about each policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Account lockout threshold
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Account lockout threshold** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Account Policies
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
An overview of account policies in Windows and provides links to policy descriptions.
|
||||
|
||||
@ -94,7 +94,7 @@ The Security Compliance Manager is a downloadable tool that helps you plan, depl
|
||||
|
||||
**To administer security policies by using the Security Compliance Manager**
|
||||
|
||||
1. Download the most recent version. You can find out more info on the [Microsoft Security Guidance](/archive/blogs/secguide/) blog.
|
||||
1. Download the most recent version. You can find more info on the [Microsoft Security Baselines](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bg-p/Microsoft-Security-Baselines) blog.
|
||||
1. Read the relevant security baseline documentation that is included in this tool.
|
||||
1. Download and import the relevant security baselines. The installation process steps you through baseline selection.
|
||||
1. Open the Help and follow instructions how to customize, compare, or merge your security baselines before deploying those baselines.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Audit Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Provides information about basic audit policies that are available in Windows and links to information about each setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Enforce password history
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Enforce password history** security policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Maximum password age
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Maximum password age** security policy setting.
|
||||
|
||||
@ -19,6 +19,7 @@ ms.topic: conceptual
|
||||
# Minimum password age
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, policy management, and security considerations for the **Minimum password age** security policy setting.
|
||||
@ -90,4 +91,4 @@ If you set a password for a user but want that user to change the password when
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Password Policy](password-policy.md)
|
||||
- [Password Policy](password-policy.md)
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Minimum password length
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
This article describes the recommended practices, location, values, policy management, and security considerations for the **Minimum password length** security policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.date: 12/31/2017
|
||||
# Password must meet complexity requirements
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Password must meet complexity requirements** security policy setting.
|
||||
|
||||
@ -22,6 +22,7 @@ ms.technology: itpro-security
|
||||
# Password Policy
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
An overview of password policies for Windows and links to information for each policy setting.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Reset account lockout counter after
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Reset account lockout counter after** security policy setting.
|
||||
@ -76,4 +77,4 @@ If you don't configure this policy setting or if the value is configured to an i
|
||||
|
||||
## Related topics
|
||||
|
||||
- [Account Lockout Policy](account-lockout-policy.md)
|
||||
- [Account Lockout Policy](account-lockout-policy.md)
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Advanced security audit policy settings for Windows 10
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Provides information about the advanced security audit policy settings that are available in Windows and the audit events that they generate.
|
||||
|
||||
@ -20,6 +20,7 @@ ms.technology: itpro-security
|
||||
# Store passwords using reversible encryption
|
||||
|
||||
**Applies to**
|
||||
- Windows 11
|
||||
- Windows 10
|
||||
|
||||
Describes the best practices, location, values, and security considerations for the **Store passwords using reversible encryption** security policy setting.
|
||||
|
||||
@ -398,6 +398,17 @@ The following GPO snippet performs the following tasks:
|
||||
|
||||
|
||||
|
||||
The following table also contains the six actions to configure in the GPO:
|
||||
|
||||
| Program/Script | Arguments |
|
||||
|------------------------------------|----------------------------------------------------------------------------------------------------------|
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-AppLocker/EXE and DLL" /ms:102432768 |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl Microsoft-Windows-CAPI2/Operational /ca:"O:BAG:SYD:(A;;0x7;;;BA)(A;;0x2;;;AU)(A;;0x1;;;S-1-5-32-573)" |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /e:true |
|
||||
| %SystemRoot%\System32\wevtutil.exe | sl "Microsoft-Windows-DriverFrameworks-UserMode/Operational" /ms:52432896 |
|
||||
|
||||
## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
|
||||
|
||||
Here are the minimum steps for WEF to operate:
|
||||
@ -656,4 +667,4 @@ You can get more info with the following links:
|
||||
- [Event Queries and Event XML](/previous-versions/bb399427(v=vs.90))
|
||||
- [Event Query Schema](/windows/win32/wes/queryschema-schema)
|
||||
- [Windows Event Collector](/windows/win32/wec/windows-event-collector)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
- [4625(F): An account failed to log on](./auditing/event-4625.md)
|
||||
|
||||
@ -35,8 +35,6 @@ You must have Windows 10, version 1709 or later. The ADMX/ADML template files fo
|
||||
|
||||
There are two stages to using the contact card and customized notifications. First, you have to enable the contact card or custom notifications (or both), and then you must specify at least a name for your organization and one piece of contact information.
|
||||
|
||||
This can only be done in Group Policy.
|
||||
|
||||
1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**.
|
||||
|
||||
2. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**.
|
||||
@ -47,6 +45,9 @@ This can only be done in Group Policy.
|
||||
|
||||
1. To enable the contact card, open the **Configure customized contact information** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
> [!NOTE]
|
||||
> This can only be done in Group Policy.
|
||||
|
||||
2. To enable the customized notifications, open the **Configure customized notifications** setting and set it to **Enabled**. Click **OK**.
|
||||
|
||||
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
|
||||
@ -58,5 +59,7 @@ This can only be done in Group Policy.
|
||||
|
||||
7. Select **OK** after you configure each setting to save your changes.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
To enable the customized notifications and add the contact information in Intune, see [Manage device security with endpoint security policies in Microsoft Intune](/mem/intune/protect/endpoint-security-policy) and [Settings for the Windows Security experience profile in Microsoft Intune](/mem/intune/protect/antivirus-security-experience-windows-settings).
|
||||
|
||||
> [!IMPORTANT]
|
||||
> You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
|
||||
@ -49,7 +49,7 @@ Windows Sandbox has the following properties:
|
||||
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:
|
||||
|
||||
```powershell
|
||||
Set-VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true
|
||||
Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
|
||||
```
|
||||
|
||||
3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
|
||||
@ -57,7 +57,11 @@ Windows Sandbox has the following properties:
|
||||
If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2.
|
||||
|
||||
> [!NOTE]
|
||||
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run **Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online**.
|
||||
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
|
||||
>
|
||||
> ```powershell
|
||||
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
|
||||
> ```
|
||||
|
||||
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
|
||||
|
||||
|
||||
@ -54,7 +54,7 @@ No. SCM supported only SCAP 1.0, which wasn't updated as SCAP evolved. The new t
|
||||
| Name | Build | Baseline Release Date | Security Tools |
|
||||
| ---- | ----- | --------------------- | -------------- |
|
||||
| Windows 11 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-11-version-22h2-security-baseline/ba-p/3632520) <br> | September 2022<br>|[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|
||||
| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [21H1](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-version-21h1/ba-p/2362353) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022<br>December 2021<br>May 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|
||||
| Windows 10 | [22H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/windows-10-version-22h2-security-baseline/ba-p/3655724) <br> [21H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-for-windows-10-version-21h2/ba-p/3042703) <br> [20H2](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-and-windows-server/ba-p/1999393) <br> [1809](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/security-baseline-final-for-windows-10-v1809-and-windows-server/ba-p/701082) <br> [1607](/archive/blogs/secguide/security-baseline-for-windows-10-v1607-anniversary-edition-and-windows-server-2016) <br>[1507](/archive/blogs/secguide/security-baseline-for-windows-10-v1507-build-10240-th1-ltsb-update)| October 2022<br>December 2021<br>December 2020<br>October 2018<br>October 2016 <br>January 2016 |[SCT 1.0](https://www.microsoft.com/download/details.aspx?id=55319) |
|
||||
Windows 8.1 |[9600 (April Update)](/archive/blogs/secguide/security-baselines-for-windows-8-1-windows-server-2012-r2-and-internet-explorer-11-final)| October 2013| [SCM 4.0](/previous-versions/tn-archive/cc936627(v=technet.10)) |
|
||||
|
||||
<br />
|
||||
|
||||
@ -31,7 +31,6 @@ The Security Compliance Toolkit consists of:
|
||||
- Windows 10 security baselines
|
||||
- Windows 10, version 22H2
|
||||
- Windows 10, version 21H2
|
||||
- Windows 10, version 21H1
|
||||
- Windows 10, version 20H2
|
||||
- Windows 10, version 1809
|
||||
- Windows 10, version 1607
|
||||
|
||||
@ -13,7 +13,7 @@ ms.date: 12/31/2017
|
||||
---
|
||||
|
||||
# Zero Trust and Windows device health
|
||||
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments.
|
||||
Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps address today's complex environments.
|
||||
|
||||
The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are:
|
||||
|
||||
|
||||
Reference in New Issue
Block a user