deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-20 12:53:38 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

fix file

Browse Source
This commit is contained in:
Greg Lindsay
2020-08-05 13:04:59 -07:00
parent dba2250c10 dfe222eb93
commit ecfa1b67e2
6 changed files with 67 additions and 79 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
View File

@ -934,25 +934,24 @@ To turn off **Location for this device**:
-or- -or-
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
-or-
- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
To turn off **Location**:
- Turn off the feature in the UI.
-or-
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**. - **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Location and Sensors** > **Turn off location**.
-or- -or-
- Create a REG_DWORD registry setting named **DisableLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one). - Create a REG_DWORD registry setting named **DisableLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
To turn off **Allow apps to access your location**:
- Turn off the feature in the UI.
-or-
- **Enable** the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access location** and set the **Select a setting** box to **Force Deny**.
-or-
- Create a REG_DWORD registry setting named **LetAppsAccessLocation** in **HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a **value of 2 (two)**.
To turn off **Location history**: To turn off **Location history**:
@ -1623,6 +1622,10 @@ You can stop sending file samples back to Microsoft.
You can stop downloading **Definition Updates**: You can stop downloading **Definition Updates**:
> [!NOTE]
> The Group Policy path for 1809 and earlier builds is **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Signature Updates**
- **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**. - **Enable** the Group Policy **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Microsoft Defender Antivirus** > **Security Intelligence Updates** > **Define the order of sources for downloading definition updates** and set it to **FileShares**.
-and- -and-

2
windows/security/information-protection/tpm/tpm-recommendations.md
View File

@ -112,7 +112,7 @@ The following table defines which Windows features require TPM support.
Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details | Windows Features | TPM Required | Supports TPM 1.2 | Supports TPM 2.0 | Details |
-|-|-|-|- -|-|-|-|-
Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot Measured Boot | Yes | Yes | Yes | Measured Boot requires TPM 1.2 or 2.0 and UEFI Secure Boot
BitLocker | Yes | Yes | Yes | TPM 1.2 or 2.0 is required, but [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support BitLocker | No | Yes | Yes | TPM 1.2 or 2.0 are supported but TPM 2.0 is recommended. [Automatic Device Encryption requires Modern Standby](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) including TPM 2.0 support
Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0. Device Encryption | Yes | N/A | Yes | Device Encryption requires Modern Standby/Connected Standby certification, which requires TPM 2.0.
Windows Defender Application Control (Device Guard) | No | Yes | Yes Windows Defender Application Control (Device Guard) | No | Yes | Yes
Windows Defender System Guard | Yes | No | Yes Windows Defender System Guard | Yes | No | Yes

2
windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
View File

@ -41,7 +41,7 @@ This policy setting configured which TPM authorization values are stored in the
|--------------|---------------|---------|-----------------|-----------------|------------------| |--------------|---------------|---------|-----------------|-----------------|------------------|
| OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes | | OwnerAuthAdmin | StorageOwnerAuth | Create SRK | No | Yes | Yes |
| OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes | | OwnerAuthEndorsement | EndorsementAuth | Create or use EK (1.2 only: Create AIK) | No | Yes | Yes |
| OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | No | | OwnerAuthFull | LockoutAuth | Reset/change Dictionary Attack Protection | No | No | Yes |
There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**. There are three TPM owner authentication settings that are managed by the Windows operating system. You can choose a value of **Full**, **Delegate**, or **None**.

4
windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
View File

@ -18,10 +18,6 @@ ms.custom: nextgen
# Configure Microsoft Defender Antivirus exclusions on Windows Server # Configure Microsoft Defender Antivirus exclusions on Windows Server
**Applies to:**
- [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions). Microsoft Defender Antivirus on Windows Server 2016 and 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
> [!NOTE] > [!NOTE]

48
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -111,3 +111,51 @@ If hyperthreading is disabled (because of an update applied through a KB article
Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. Application Guard may not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
### Why am I getting the error message ("ERR_NAME_NOT_RESOLVED") after not being able to reach PAC file?
This is a known issue. To mitigate this you need to create two firewall rules.
For guidance on how to create a firewall rule by using group policy, see:
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
First rule (DHCP Server):
1. Program path: %SystemRoot%\System32\svchost.exe
2. Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))
3. Protocol UDP
4. Port 67
Second rule (DHCP Client)
This is the same as the first rule, but scoped to local port 68.
In the Microsoft Defender Firewall user interface go through the following steps:
1. Right click on inbound rules, create a new rule.
2. Choose **custom rule**.
3. Program path: **%SystemRoot%\System32\svchost.exe**.
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
5. Any IP addresses.
6. Allow the connection.
7. All profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
### Why can I not launch Application Guard when Exploit Guard is enabled?
There is a known issue where if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to Windows Security-> App and Browser control -> Exploit Protection Setting -> switch CFG to the “use default".
### How can I have ICS in enabled state yet still use Application Guard?
This is a two step process.
Step 1:
Enable Internet Connection sharing by changing the Group Policy setting “Prohibit use of Internet Connection Sharing on your DNS domain network” which is part of the MS Security baseline from Enabled to Disabled.
Step 2:
1. Disable IpNat.sys from ICS load
System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1
2. Configure ICS (SharedAccess) to enabled
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3
3. Disabling IPNAT (Optional)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4
4. Reboot.

61
windows/security/threat-protection/security-compliance-toolkit-10.md
View File

@ -27,6 +27,7 @@ The SCT enables administrators to effectively manage their enterprises Group
The Security Compliance Toolkit consists of: The Security Compliance Toolkit consists of:
- Windows 10 security baselines - Windows 10 security baselines
- Windows 10 Version 2004 (May 2020 Update)
- Windows 10 Version 1909 (November 2019 Update) - Windows 10 Version 1909 (November 2019 Update)
- Windows 10 Version 1903 (May 2019 Update) - Windows 10 Version 1903 (May 2019 Update)
- Windows 10 Version 1809 (October 2018 Update) - Windows 10 Version 1809 (October 2018 Update)
@ -80,63 +81,3 @@ It can export local policy to a GPO backup.
It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file. It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319). Documentation for the LGPO tool can be found on the [Microsoft Security Baselines blog](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/lgpo-exe-local-group-policy-object-utility-v1-0/ba-p/701045) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
## List of PowerShell scripts
This list of PowerShell script names, divided into categories by the name of the ZIP file containing those scripts, is based on the download page content listing of the full package download (12 files).
1. **Windows 10 Version 1909 and Windows Server Version 1909 Security Baseline.zip**
- Baseline-ADImport.ps1
- Baseline-LocalInstall.ps1
- Remove-EPBaselineSettings.ps1
- MapGuidsToGpoNames.ps1
2. **LGPO.zip**
- (none)
3. **Microsoft Edge v80.zip**
- Baseline-ADImport.ps1
- Baseline-LocalInstall.ps1
- MapGuidsToGpoNames.ps1
4. **Office365-ProPlus-Sept2019-FINAL.zip**
- Baseline-ADImport.ps1
- Baseline-LocalInstall.ps1
- MapGuidsToGpoNames.ps1
5. **PolicyAnalyzer.zip**
- Merge-PolicyRules.ps1
- Split-PolicyRules.ps1
6. **Windows 10 Version 1507 Security Baseline.zip**
- (none)
7. **Windows 10 Version 1607 and Windows Server 2016 Security Baseline.zip**
- MapGuidsToGpoNames.ps1
8. **Windows 10 Version 1709 Security Baseline.zip**
- MapGuidsToGpoNames.ps1
9. **Windows 10 Version 1803 Security Baseline.zip**
- MapGuidsToGpoNames.ps1
10. **Windows 10 Version 1809 and Windows Server 2019 Security Baseline.zip**
- BaselineLocalInstall.ps1
- MapGuidsToGpoNames.ps1
11. **Windows 10 Version 1903 and Windows Server Version 1903 Security Baseline - Sept2019Update.zip**
- Baseline-ADImport.ps1
- Baseline-LocalInstall.ps1
- MapGuidsToGpoNames.ps1
12. **Windows Server 2012 R2 Security Baseline.zip**
- (none)