diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md index a8de10ac7f..9969fd5ca2 100644 --- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md +++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md @@ -933,19 +933,6 @@ To turn off **Location for this device**: - Click the **Change** button in the UI. -or- - -- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**. - - -or- - -- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**. - - -To turn off **Location**: - -- Turn off the feature in the UI. - - -or- - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. @@ -953,7 +940,19 @@ To turn off **Location**: - Create a REG_DWORD registry setting named **DisableLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). +To turn off **Allow apps to access your location**: +- Turn off the feature in the UI. + + -or- + +- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**. + + -or- + +- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**. + + To turn off **Location history**: - Erase the history using the **Clear** button in the UI. @@ -1623,6 +1622,10 @@ You can stop sending file samples back to Microsoft. You can stop downloading **Definition Updates**: +> [!NOTE] +> The Group Policy path for 1809 and earlier builds is **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates** + + - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. -and- diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md index da6eece1fe..fb2784e2d5 100644 --- a/windows/security/information-protection/tpm/tpm-recommendations.md +++ b/windows/security/information-protection/tpm/tpm-recommendations.md @@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support. Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | -|-|-|-|- Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot - BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support + BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. Windows Defender Application Control (Device Guard) | No | Yes | Yes Windows Defender System Guard | Yes | No | Yes diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md index 94634c4b79..d94485704c 100644 --- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md +++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md @@ -41,7 +41,7 @@ This policy setting configured which TPM authorization values are stored in the |--------------|---------------|---------|-----------------|-----------------|------------------| | OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes | | OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes | -| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No | +| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes | There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. diff --git a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md index 756e4191f5..f0a52f7827 100644 --- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md +++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md @@ -18,10 +18,6 @@ ms.custom: nextgen # Configure Microsoft Defender Antivirus exclusions on Windows Server -**Applies to:** - -- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) - Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). > [!NOTE] diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md index ad435fd8ad..c719d57d20 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md @@ -111,3 +111,51 @@ If hyperthreading is disabled (because of an update applied through a KB article Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. +### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file? + +This is a known issue. To mitigate this you need to create two firewall rules. +For guidance on how to create a firewall rule by using group policy, see: +- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule) +- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security) + +First rule (DHCP Server): +1. Program path: %SystemRoot%\System32\svchost.exe +2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess)) +3. Protocol UDP +4. Port 67 + +Second rule (DHCP Client) +This is the same as the first rule, but scoped to local port 68. +In the Microsoft Defender Firewall user interface go through the following steps: +1. Right click on inbound rules, create a new rule. +2. Choose **custom rule**. +3. Program path: **%SystemRoot%\System32\svchost.exe**. +4. Protocol Type: UDP, Specific ports: 67, Remote port: any. +5. Any IP addresses. +6. Allow the connection. +7. All profiles. +8. The new rule should show up in the user interface. Right click on the **rule** > **properties**. +9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**. + +### Why can I not launch Application Guard when Exploit Guard is enabled? + +There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default". + + +### How can I have ICS in enabled state yet still use Application Guard? + +This is a two step process. + +Step 1: + +Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled. + +Step 2: + +1. Disable IpNat.sys from ICS load +System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1 +2. Configure ICS (SharedAccess) to enabled +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3 +3. Disabling IPNAT (Optional) +HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4 +4. Reboot. diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md index cea2e3c915..9e241156a8 100644 --- a/windows/security/threat-protection/security-compliance-toolkit-10.md +++ b/windows/security/threat-protection/security-compliance-toolkit-10.md @@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group The Security Compliance Toolkit consists of: - Windows 10 security baselines + - Windows 10 Version 2004 (May 2020 Update) - Windows 10 Version 1909 (November 2019 Update) - Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1809 (October 2018 Update) @@ -80,63 +81,3 @@ It can export local policy to a GPO backup. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). - -## List of PowerShell scripts - -This list of PowerShell script names, divided into categories by the name of the ZIP file containing those scripts, is based on the download page content listing of the full package download (12 files). - -1. **Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip** - - - Baseline-ADImport.ps1 - - Baseline-LocalInstall.ps1 - - Remove-EPBaselineSettings.ps1 - - MapGuidsToGpoNames.ps1 - -2. **LGPO.zip** - - (none) - -3. **Microsoft Edge v80.zip** - - - Baseline-ADImport.ps1 - - Baseline-LocalInstall.ps1 - - MapGuidsToGpoNames.ps1 - -4. **Office365-ProPlus-Sept2019-FINAL.zip** - - - Baseline-ADImport.ps1 - - Baseline-LocalInstall.ps1 - - MapGuidsToGpoNames.ps1 - -5. **PolicyAnalyzer.zip** - - - Merge-PolicyRules.ps1 - - Split-PolicyRules.ps1 - -6. **Windows 10 Version 1507 Security Baseline.zip** - - (none) - -7. **Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip** - - - MapGuidsToGpoNames.ps1 - -8. **Windows 10 Version 1709 Security Baseline.zip** - - - MapGuidsToGpoNames.ps1 - -9. **Windows 10 Version 1803 Security Baseline.zip** - - - MapGuidsToGpoNames.ps1 - -10. **Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip** - - - BaselineLocalInstall.ps1 - - MapGuidsToGpoNames.ps1 - -11. **Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip** - - - Baseline-ADImport.ps1 - - Baseline-LocalInstall.ps1 - - MapGuidsToGpoNames.ps1 - -12. **Windows Server 2012 R2 Security Baseline.zip** - - (none)