deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 13:27:23 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #8667 from paolomatarazzo/pm-20230803-freshness

Browse Source 
FY24KR - Freshness
This commit is contained in:
Stacyrch140 2023-08-03 11:32:13 -04:00 committed by GitHub
commit f5980caef5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
16 changed files with 188 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

182
education/windows/windows-11-se-overview.md
View File

@ -2,7 +2,7 @@
title: Windows 11 SE Overview
description: Learn about Windows 11 SE, and the apps that are included with the operating system.
ms.topic: overview
ms.date: 07/25/2023
ms.date: 08/03/2023
appliesto:
- ✅ <a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11 SE</a>
ms.collection:
@ -35,11 +35,11 @@ The following table lists the different application types available in Windows o
| --- | --- | :---: | ---|
|Progressive Web Apps (PWAs) | PWAs are web-based applications that can run in a browser and that can be installed as standalone apps. |✅|PWAs are enabled by default in Windows 11 SE.|
| Web apps | Web apps are web-based applications that run in a browser. | ✅ | Web apps are enabled by default in Windows 11 SE. |
|Win32| Win32 applications are Windows classic applications that may require installation |⛔| If users try to install or execute Win32 applications that haven't been allowed to run, they'll fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they'll fail.|
|`Win32`| `Win32` applications are Windows classic applications that may require installation |⛔| If users try to install or execute `Win32` applications that haven't been allowed to run, they fail.|
|Universal Windows Platform (UWP)/Store apps |UWP apps are commonly obtained from the Microsoft Store and may require installation |⛔|If users try to install or execute UWP applications that haven't been allowed to run, they fail.|
> [!IMPORTANT]
> If there are specific Win32 or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
> If there are specific `Win32` or UWP applications that you want to allow, work with Microsoft to get them enabled. For more information, see [Add your own applications](#add-your-own-applications).
## Applications included in Windows 11 SE
@ -50,10 +50,10 @@ The following table lists all the applications included in Windows 11 SE and the
| Alarm & Clock | UWP | | |
| Calculator | UWP | ✅ | |
| Camera | UWP | ✅ | |
| Microsoft Edge | Win32 | ✅ | ✅ |
| Excel | Win32 | ✅ | |
| Microsoft Edge | `Win32` | ✅ | ✅ |
| Excel | `Win32` | ✅ | |
| Feedback Hub | UWP | | |
| File Explorer | Win32 | | ✅ |
| File Explorer | `Win32` | | ✅ |
| FlipGrid | PWA | | |
| Get Help | UWP | | |
| Media Player | UWP | ✅ | |
@ -61,20 +61,20 @@ The following table lists all the applications included in Windows 11 SE and the
| Minecraft: Education Edition | UWP | | |
| Movies & TV | UWP | | |
| News | UWP | | |
| Notepad | Win32 | | |
| OneDrive | Win32 | | |
| OneNote | Win32 | ✅ | |
| Notepad | `Win32` | | |
| OneDrive | `Win32` | | |
| OneNote | `Win32` | ✅ | |
| Outlook | PWA | ✅ | |
| Paint | Win32 | ✅ | |
| Paint | `Win32` | ✅ | |
| Photos | UWP | | |
| PowerPoint | Win32 | ✅ | |
| PowerPoint | `Win32` | ✅ | |
| Settings | UWP | ✅ | |
| Snip & Sketch | UWP | | |
| Sticky Notes | UWP | | |
| Teams | Win32 | ✅ | |
| Teams | `Win32` | ✅ | |
| To Do | UWP | | |
| Whiteboard | UWP | ✅ | |
| Word | Win32 | ✅ | |
| Word | `Win32` | ✅ | |
## Available applications
@ -82,98 +82,98 @@ The following applications can also run on Windows 11 SE, and can be deployed us
| Application | Supported version | App Type | Vendor |
|-------------------------------------------|-------------------|----------|-------------------------------------------|
| `3d builder` | 18.0.1931.0 | Win32 | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | Win32 | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | Win32 | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | Win32 | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | Win32 | `Brave` |
| `3d builder` | 18.0.1931.0 | `Win32` | `Microsoft` |
| `Absolute Software Endpoint Agent` | 7.20.0.1 | `Win32` | `Absolute Software Corporation` |
| `AirSecure` | 8.0.0 | `Win32` | `AIR` |
| `Alertus Desktop` | 5.4.48.0 | `Win32` | `Alertus technologies` |
| `Brave Browser` | 106.0.5249.119 | `Win32` | `Brave` |
| `Bulb Digital Portfolio` | 0.0.7.0 | `Store` | `Bulb` |
| `CA Secure Browser` | 14.0.0 | Win32 | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | Win32 | `Cisco` |
| `CKAuthenticator` | 3.6+ | Win32 | `ContentKeeper` |
| `Class Policy` | 116.0.0 | Win32 | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | Win32 | `NetSupport` |
| `CA Secure Browser` | 14.0.0 | `Win32` | `Cambium Development` |
| `Cisco Umbrella` | 3.0.110.0 | `Win32` | `Cisco` |
| `CKAuthenticator` | 3.6+ | `Win32` | `ContentKeeper` |
| `Class Policy` | 116.0.0 | `Win32` | `Class Policy` |
| `Classroom.cloud` | 1.40.0004 | `Win32` | `NetSupport` |
| `Clipchamp` | 2.5.2. | `Store` | `Microsoft` |
| `CoGat Secure Browser` | 11.0.0.19 | Win32 | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | Win32 | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | Win32 | `ContentKeeper Technologies` |
| `DigiExam` | 14.0.6 | Win32 | `Digiexam` |
| `Dragon Professional Individual` | 15.00.100 | Win32 | `Nuance Communications` |
| `CoGat Secure Browser` | 11.0.0.19 | `Win32` | `Riverside Insights` |
| `ColorVeil` | 4.0.0.175 | `Win32` | `East-Tec` |
| `ContentKeeper Cloud` | 9.01.45 | `Win32` | `ContentKeeper Technologies` |
| `DigiExam` | 14.0.6 | `Win32` | `Digiexam` |
| `Dragon Professional Individual` | 15.00.100 | `Win32` | `Nuance Communications` |
| `DRC INSIGHT Online Assessments` | 13.0.0.0 | `Store` | `Data recognition Corporation` |
| `Duo from Cisco` | 3.0.0 | Win32 | `Cisco` |
| `Dyknow` | 7.9.13.7 | Win32 | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | Win32 | `e-speaking` |
| `EasyReader` | 10.0.4.498 | Win32 | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | Win32 | `Data Harvest` |
| `Epson iProjection` | 3.31 | Win32 | `Epson` |
| `eTests` | 4.0.25 | Win32 | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | Win32 | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | Win32 | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | Win32 | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | Win32 | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | Win32 | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | Win32 | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | Win32 | `Google` |
| `GuideConnect` | 1.24 | Win32 | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | Win32 | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | Win32 | `Immunet` |
| `Impero Backdrop Client` | 5.0.87 | Win32 | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | Win32 | `IMTLazarus` |
| `Inspiration 10` | 10.11 | Win32 | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | Win32 | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | Win32 | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | Win32 | `SIL International` |
| `Duo from Cisco` | 3.0.0 | `Win32` | `Cisco` |
| `Dyknow` | 7.9.13.7 | `Win32` | `Dyknow` |
| `e-Speaking Voice and Speech recognition` | 4.4.0.11 | `Win32` | `e-speaking` |
| `EasyReader` | 10.0.4.498 | `Win32` | `Dolphin Computer Access` |
| `Easysense 2` | 1.32.0001 | `Win32` | `Data Harvest` |
| `Epson iProjection` | 3.31 | `Win32` | `Epson` |
| `eTests` | 4.0.25 | `Win32` | `CASAS` |
| `Exam Writepad` | 22.10.14.1834 | `Win32` | `Sheldnet` |
| `FirstVoices Keyboard` | 15.0.270 | `Win32` | `SIL International` |
| `FortiClient` | 7.2.0.4034+ | `Win32` | `Fortinet` |
| `Free NaturalReader` | 16.1.2 | `Win32` | `Natural Soft` |
| `Ghotit Real Writer & Reader` | 10.14.2.3 | `Win32` | `Ghotit Ltd` |
| `GoGuardian` | 1.4.4 | `Win32` | `GoGuardian` |
| `Google Chrome` | 110.0.5481.178 | `Win32` | `Google` |
| `GuideConnect` | 1.24 | `Win32` | `Dolphin Computer Access` |
| `Illuminate Lockdown Browser` | 2.0.5 | `Win32` | `Illuminate Education` |
| `Immunet` | 7.5.8.21178 | `Win32` | `Immunet` |
| `Impero Backdrop Client` | 5.0.87 | `Win32` | `Impero Software` |
| `IMT Lazarus` | 2.86.0 | `Win32` | `IMTLazarus` |
| `Inspiration 10` | 10.11 | `Win32` | `TechEdology Ltd` |
| `JAWS for Windows` | 2022.2112.24 | `Win32` | `Freedom Scientific` |
| `Kite Student Portal` | 9.0.0.0 | `Win32` | `Dynamic Learning Maps` |
| `Keyman` | 16.0.138 | `Win32` | `SIL International` |
| `Kortext` | 2.3.433.0 | `Store` | `Kortext` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | Win32 | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | Win32 | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | Win32 | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | Win32 | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | Win32 | `Lightspeed Systems` |
| `Kurzweil 3000 Assistive Learning` | 20.13.0000 | `Win32` | `Kurzweil Educational Systems` |
| `LanSchool Classic` | 9.1.0.46 | `Win32` | `Stoneware, Inc.` |
| `LanSchool Air` | 2.0.13312 | `Win32` | `Stoneware, Inc.` |
| `Lightspeed Smart Agent` | 1.9.1 | `Win32` | `Lightspeed Systems` |
| `Lightspeed Filter Agent` | 2.3.4 | `Win32` | `Lightspeed Systems` |
| `MetaMoJi ClassRoom` | 3.12.4.0 | `Store` | `MetaMoJi Corporation` |
| `Microsoft Connect` | 10.0.22000.1 | `Store` | `Microsoft` |
| `Mozilla Firefox` | 105.0.0 | Win32 | `Mozilla` |
| `Mozilla Firefox` | 105.0.0 | `Win32` | `Mozilla` |
| `Mobile Plans` | 5.1911.3171.0 | `Store` | `Microsoft Corporation` |
| `NAPLAN` | 5.2.2 | Win32 | `NAP` |
| `Netref Student` | 23.1.0 | Win32 | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | Win32 | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | Win32 | `NetSupport` |
| `NetSupport School` | 14.00.0012 | Win32 | `NetSupport` |
| `NextUp Talker` | 1.0.49 | Win32 | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | Win32 | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | Win32 | `NWEA` |
| `PC Talker Neo` | 2209 | Win32 | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | Win32 | `Kochi System Development` |
| `PaperCut` | 22.0.6 | Win32 | `PaperCut Software International Pty Ltd` |
| `NAPLAN` | 5.2.2 | `Win32` | `NAP` |
| `Netref Student` | 23.1.0 | `Win32` | `NetRef` |
| `NetSupport Manager` | 12.01.0014 | `Win32` | `NetSupport` |
| `NetSupport Notify` | 5.10.1.215 | `Win32` | `NetSupport` |
| `NetSupport School` | 14.00.0012 | `Win32` | `NetSupport` |
| `NextUp Talker` | 1.0.49 | `Win32` | `NextUp Technologies` |
| `NonVisual Desktop Access` | 2021.3.1 | `Win32` | `NV Access` |
| `NWEA Secure Testing Browser` | 5.4.387.0 | `Win32` | `NWEA` |
| `PC Talker Neo` | 2209 | `Win32` | `Kochi System Development` |
| `PC Talker Neo Plus` | 2209 | `Win32` | `Kochi System Development` |
| `PaperCut` | 22.0.6 | `Win32` | `PaperCut Software International Pty Ltd` |
| `Pearson TestNav` | 1.11.3 | `Store` | `Pearson` |
| `Project Monarch Outlook` | 1.2022.2250001 | `Store` | `Microsoft` |
| `Questar Secure Browser` | 5.0.1.456 | Win32 | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | Win32 | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | Win32 | `Microsoft` |
| `Remote Help` | 4.0.1.13 | Win32 | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | Win32 | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | Win32 | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | Win32 |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | Win32 |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | Win32 | `Senso.Cloud` |
| `Skoolnext` | 2.19 | Win32 | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | Win32 | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | Win32 | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | Win32 | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | Win32 | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | Win32 | `VitalSource Technologies Inc` |
| `Winbird` | 19 | Win32 | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | Win32 | `WordQ` |
| `Zoom` | 5.12.8 (10232) | Win32 | `Zoom` |
| `ZoomText Fusion` | 2023.2303.77.400 | Win32 | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | Win32 | `Freedom Scientific` |
| `Questar Secure Browser` | 5.0.1.456 | `Win32` | `Questar, Inc` |
| `ReadAndWriteForWindows` | 12.0.74 | `Win32` | `Texthelp Ltd.` |
| `Remote Desktop client (MSRDC)` | 1.2.4066.0 | `Win32` | `Microsoft` |
| `Remote Help` | 4.0.1.13 | `Win32` | `Microsoft` |
| `Respondus Lockdown Browser` | 2.0.9.03 | `Win32` | `Respondus` |
| `Safe Exam Browser` | 3.5.0.544 | `Win32` | `Safe Exam Browser` |
|`SchoolYear` | 3.4.21 | `Win32` |`SchoolYear` |
|`School Manager` | 3.6.8.1109 | `Win32` |`School Manager` |
| `Senso.Cloud` | 2021.11.15.0 | `Win32` | `Senso.Cloud` |
| `Skoolnext` | 2.19 | `Win32` | `Skool.net` |
| `Smoothwall Monitor` | 2.9.2 | `Win32` | `Smoothwall Ltd` |
| `SuperNova Magnifier & Screen Reader` | 22.02 | `Win32` | `Dolphin Computer Access` |
| `SuperNova Magnifier & Speech` | 21.03 | `Win32` | `Dolphin Computer Access` |
|`TX Secure Browser` | 15.0.0 | `Win32` | `Cambium Development` |
| `VitalSourceBookShelf` | 10.2.26.0 | `Win32` | `VitalSource Technologies Inc` |
| `Winbird` | 19 | `Win32` | `Winbird Co., Ltd.` |
| `WordQ` | 5.4.29 | `Win32` | `WordQ` |
| `Zoom` | 5.12.8 (10232) | `Win32` | `Zoom` |
| `ZoomText Fusion` | 2023.2303.77.400 | `Win32` | `Freedom Scientific` |
| `ZoomText Magnifier/Reader` | 2023.2303.33.400 | `Win32` | `Freedom Scientific` |
## Add your own applications
If the applications you need aren't in the [available applications list](#available-applications), then you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
If the applications you need aren't in the [available applications list](#available-applications), you can submit an application request at [aka.ms/eduapprequest](https://aka.ms/eduapprequest). Anyone from a school district can submit the request. In the form, sign in with your school account, such as `user@contoso.edu`. We'll update you using this email account.
Microsoft reviews every app request to make sure each app meets the following requirements:
- Apps can be any native Windows app type, such as a Microsoft Store app, Win32 app, `.MSIX`, `.APPX`, and more
- Apps can be any native Windows app type, such as a Microsoft Store app, `Win32` app, `.MSIX`, `.APPX`, and more
- Apps must be in one of the following app categories:
- Content Filtering apps
- Test Taking solutions

92
windows/security/identity-protection/access-control/local-accounts.md
View File

@ -1,11 +1,8 @@
---
ms.date: 12/05/2022
ms.date: 08/03/2023
title: Local Accounts
description: Learn how to secure and manage access to the resources on a standalone or member server for services or users.
ms.topic: conceptual
ms.collection:
- highpri
- tier2
appliesto:
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 11</a>
- ✅ <a href=https://learn.microsoft.com/windows/release-health/supported-versions-windows-client target=_blank>Windows 10</a>
@ -20,7 +17,7 @@ This article describes the default local user accounts for Windows operating sys
## About local user accounts
Local user accounts are stored locally on the device. These accounts can be assigned rights and permissions on a particular device, but on that device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
Local user accounts are defined locally on a device, and can be assigned rights and permissions on the device only. Local user accounts are security principals that are used to secure and manage access to the resources on a device, for services or users.
## Default local user accounts
@ -30,9 +27,7 @@ Default local user accounts are used to manage access to the local device's reso
Default local user accounts are described in the following sections. Expand each section for more information.
<br>
<details>
<summary><b>Administrator</b></summary>
### Administrator
The default local Administrator account is a user account for system administration. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
@ -44,13 +39,13 @@ Windows setup disables the built-in Administrator account and creates another lo
Members of the Administrators groups can run apps with elevated permissions without using the *Run as Administrator* option. Fast User Switching is more secure than using `runas` or different-user elevation.
**Account group membership**
#### Account group membership
By default, the Administrator account is a member of the Administrators group. It's a best practice to limit the number of users in the Administrators group because members of the Administrators group have Full Control permissions on the device.
The Administrator account can't be removed from the Administrators group.
**Security considerations**
#### Security considerations
Because the Administrator account is known to exist on many versions of the Windows operating system, it's a best practice to disable the Administrator account when possible to make it more difficult for malicious users to gain access to the server or client computer.
@ -62,50 +57,41 @@ Group Policy can be used to control the use of the local Administrators group au
> [!IMPORTANT]
>
> - Blank passwords are not allowed.
>
> - Even when the Administrator account has been disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it is disabled.
> - Blank passwords are not allowed
> - Even when the Administrator account is disabled, it can still be used to gain access to a computer by using safe mode. In the Recovery Console or in safe mode, the Administrator account is automatically enabled. When normal operations are resumed, it's disabled.
</details>
<br>
<details>
<summary><b>Guest</b></summary>
### Guest
The Guest account lets occasional or one-time users, who don't have an account on the computer, temporarily sign in to the local server or client computer with limited user rights. By default, the Guest account is disabled and has a blank password. Since the Guest account can provide anonymous access, it's considered a security risk. For this reason, it's a best practice to leave the Guest account disabled, unless its use is necessary.
**Account group membership**
#### Guest account group membership
By default, the Guest account is the only member of the default Guests group (SID S-1-5-32-546), which lets a user sign in to a device.
By default, the Guest account is the only member of the default Guests group `SID S-1-5-32-546`, which lets a user sign in to a device.
**Security considerations**
#### Guest account security considerations
When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account shouldn't be used over the network and made accessible to other computers.
In addition, the guest user in the Guest account shouldn't be able to view the event logs. After the Guest account is enabled, it's a best practice to monitor the Guest account frequently to ensure that other users can't use services and other resources. This includes resources that were unintentionally left available by a previous user.
</details>
<br>
<details>
<summary><b>HelpAssistant</b></summary>
### HelpAssistant
The HelpAssistant account is a default local account that is enabled when a Remote Assistance session is run. This account is automatically disabled when no Remote Assistance requests are pending.
HelpAssistant is the primary account that is used to establish a Remote Assistance session. The Remote Assistance session is used to connect to another computer running the Windows operating system, and it's initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance. After the user's invitation for a Remote Assistance session is accepted, the default HelpAssistant account is automatically created to give the person who provides assistance limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service.
**Security considerations**
#### HelpAssistant account security considerations
The SIDs that pertain to the default HelpAssistant account include:
- SID: `S-1-5-<domain>-13`, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled. Note: In Windows Server 2008, Remote Desktop Services is called Terminal Services.
- SID: `S-1-5-<domain>-14`, display name Remote Interactive Logon. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
- SID: `S-1-5-<domain>-13`, display name *Terminal Server User*. This group includes all users who sign in to a server with Remote Desktop Services enabled.
- SID: `S-1-5-<domain>-14`, display name *Remote Interactive Logon*. This group includes all users who connect to the computer by using a remote desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
For the Windows Server operating system, Remote Assistance is an optional component that isn't installed by default. You must install Remote Assistance before it can be used.
For details about the HelpAssistant account attributes, see the following table.
**HelpAssistant account attributes**
#### HelpAssistant account attributes
|Attribute|Value|
|--- |--- |
@ -118,15 +104,11 @@ For details about the HelpAssistant account attributes, see the following table.
|Safe to move out of default container?|Can be moved out, but we don't recommend it.|
|Safe to delegate management of this group to non-Service admins?|No|
</details>
<br>
<details>
<summary><b>DefaultAccount</b></summary>
### DefaultAccount
The DefaultAccount account, also known as the Default System Managed Account (DSMA), is a well-known user account type. DefaultAccount can be used to run processes that are either multi-user aware or user-agnostic.
The DSMA is disabled by default on the desktop SKUs and on the Server operating systems with the desktop experience.
The DSMA is disabled by default on the desktop editions and on the Server operating systems with the desktop experience.
The DSMA has a well-known RID of `503`. The security identifier (SID) of the DSMA will thus have a well-known SID in the following format: `S-1-5-21-\<ComputerIdentifier>-503`.
@ -135,6 +117,7 @@ The DSMA is a member of the well-known group **System Managed Accounts Group**,
The DSMA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
#### How Windows uses the DefaultAccount
From a permission perspective, the DefaultAccount is a standard user account.
The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps).
MUMA apps run all the time and react to users signing in and signing out of the devices.
@ -158,14 +141,10 @@ If the domain was created with domain controllers running an earlier version of
#### Recommendations for managing the Default Account (DSMA)
Microsoft doesn't recommend changing the default configuration, where the account is disabled. There's no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
</details>
## Default local system accounts
<br>
<details>
<summary><b>SYSTEM</b></summary>
### SYSTEM
The *SYSTEM* account is used by the operating system and by services running under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account's user rights. It's an internal account that doesn't show up in User Manager, and it can't be added to any groups.
@ -174,19 +153,13 @@ On the other hand, the SYSTEM account does appear on an NTFS file system volume
> [!NOTE]
> To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
</details>
<br>
<details>
<summary><b>NETWORK SERVICE </b></summary>
### NETWORK SERVICE
The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
</details>
<br>
<details>
<summary><b>LOCAL SERVICE</b></summary>
The *NETWORK SERVICE* account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](/windows/desktop/services/networkservice-account).
The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
</details>
### LOCAL SERVICE
The *LOCAL SERVICE* account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](/windows/desktop/services/localservice-account).
## How to manage local user accounts
@ -203,17 +176,15 @@ You can also manage local users by using NET.EXE USER and manage local groups by
### Restrict and protect local accounts with administrative rights
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called "lateral movement".
An administrator can use many approaches to prevent malicious users from using stolen credentials such as a stolen password or password hash, for a local account on one computer from being used to authenticate on another computer with administrative rights. This is also called *lateral movement*.
The simplest approach is to sign in to your computer with a standard user account, instead of using the Administrator account for tasks. For example, use a standard account to browse the Internet, send email, or use a word processor. When you want to perform administrative tasks such as installing a new program or changing a setting that affects other users, you don't have to switch to an Administrator account. You can use User Account Control (UAC) to prompt you for permission or an administrator password before performing the task, as described in the next section.
The other approaches that can be used to restrict and protect user accounts with administrative rights include:
- Enforce local account restrictions for remote access.
- Deny network logon to all local Administrator accounts.
- Create unique passwords for local accounts with administrative rights.
- Enforce local account restrictions for remote access
- Deny network logon to all local Administrator accounts
- Create unique passwords for local accounts with administrative rights
Each of these approaches is described in the following sections.
@ -224,7 +195,7 @@ Each of these approaches is described in the following sections.
User Account Control (UAC) is a security feature that informs you when a program makes a change that requires administrative permissions. UAC works by adjusting the permission level of your user account. By default, UAC is set to notify you when applications try to make changes to your computer, but you can change when UAC notifies you.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the **Run as** command.
UAC makes it possible for an account with administrative rights to be treated as a standard user non-administrator account until full rights, also called elevation, is requested and approved. For example, UAC lets an administrator enter credentials during a non-administrator's user session to perform occasional administrative tasks without having to switch users, sign out, or use the *Run as* command.
In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
@ -234,8 +205,6 @@ For more information about UAC, see [User Account Control](/windows/access-prote
The following table shows the Group Policy and registry settings that are used to enforce local account restrictions for remote access.
<!-- MicrosoftDocs/windows-itpro-docs/issues/7146 start line 254-->
|No.|Setting|Detailed Description|
|--- |--- |--- |
||Policy location|Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options|
@ -286,6 +255,7 @@ The following table shows the Group Policy and registry settings that are used t
1. Test the functionality of enterprise applications on the workstations in that first OU and resolve any issues caused by the new policy
1. Create links to all other OUs that contain workstations
1. Create links to all other OUs that contain servers
### Deny network logon to all local Administrator accounts
Denying local accounts the ability to perform network logons can help prevent a local account password hash from being reused in a malicious attack. This procedure helps to prevent lateral movement by ensuring that stolen credentials for local accounts from a compromised operating system can't be used to compromise other computers that use the same credentials.

2
windows/security/identity-protection/hello-for-business/hello-faq.yml
View File

@ -8,7 +8,7 @@ metadata:
- highpri
- tier1
ms.topic: faq
ms.date: 03/09/2023
ms.date: 08/03/2023
title: Common questions about Windows Hello for Business
summary: Windows Hello for Business replaces password sign-in with strong authentication, using an asymmetric key pair. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Hello for Business.

45
windows/security/operating-system-security/data-protection/bitlocker/index.md
View File

@ -1,21 +1,21 @@
---
title: BitLocker overview
description: This article provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
description: Learn about BitLocker requirements, practical applications, and deprecated features.
ms.collection:
- highpri
- tier1
ms.topic: conceptual
ms.date: 11/08/2022
ms.topic: overview
ms.date: 08/03/2023
---
# BitLocker overview
Bitlocker is a disk encryption feature included with Windows, designed to protect data by providing encryption for entire volumes.\
Bitlocker is a Windows disk encryption feature, designed to protect data by providing encryption for entire volumes.\
BitLocker addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.
BitLocker provides the maximum protection when used with a Trusted Platform Module (TPM) version 1.2 or later versions. The TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
BitLocker provides maximum protection when used with a Trusted Platform Module (TPM). A TPM is a hardware component installed in many devices ant it works with BitLocker to help protect user data and to ensure that a computer hasn't been tampered with while the system is offline.
On computers that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
On devices that don't have a TPM, BitLocker can still be used to encrypt the Windows operating system drive. However, this implementation requires the user to insert a USB startup key to start the device or resume from hibernation. An operating system volume password can be used to protect the operating system volume on a computer without TPM. Both options don't provide the pre-startup system integrity verification offered by BitLocker with a TPM.
In addition to the TPM, BitLocker offers the option to lock the normal startup process until the user supplies a personal identification number (PIN) or inserts a removable device (such as a USB flash drive) that contains a startup key. These additional security measures provide multifactor authentication and assurance that the computer won't start or resume from hibernation until the correct PIN or startup key is presented.
@ -27,30 +27,25 @@ Data on a lost or stolen device is vulnerable to unauthorized access, either by
BitLocker has the following hardware requirements:
For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker.
- For BitLocker to use the system integrity check provided by a TPM, the computer must have TPM 1.2 or later versions. If a computer doesn't have a TPM, saving a startup key on a removable drive, such as a USB flash drive, becomes mandatory when enabling BitLocker
- A device with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware
- The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment
A computer with a TPM must also have a Trusted Computing Group (TCG)-compliant BIOS or UEFI firmware. The BIOS or UEFI firmware establishes a chain of trust for the pre-operating system startup, and it must include support for TCG-specified Static Root of Trust Measurement. A computer without a TPM doesn't require TCG-compliant firmware.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
>
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support the USB mass storage device class, including reading small files on a USB flash drive in the pre-operating system environment.
> [!IMPORTANT]
> From Windows 7, an OS drive can be encrypted without a TPM and USB flash drive. For this procedure, see [Tip of the Day: Bitlocker without TPM or USB](https://social.technet.microsoft.com/Forums/en-US/eac2cc67-8442-42db-abad-2ed173879751/bitlocker-without-tpm?forum=win10itprosetup).
> [!NOTE]
> TPM 2.0 is not supported in Legacy and Compatibility Support Module (CSM) modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as native UEFI only. The Legacy and CSM options must be disabled. For added security, enable the secure boot feature.
> Installed Operating System on hardware in Legacy mode stops the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode, which prepares the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system.
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space.
When installed on a new computer, Windows automatically creates the partitions that are required for BitLocker.
- The hard disk must be partitioned with at least two drives:
- The operating system drive (or boot drive) contains the operating system and its support files. It must be formatted with the NTFS file system
- The system drive contains the files that are needed to load Windows after the firmware has prepared the system hardware. BitLocker isn't enabled on this drive. For BitLocker to work, the system drive must not be encrypted, must differ from the operating system drive, and must be formatted with the FAT32 file system on computers that use UEFI-based firmware or with the NTFS file system on computers that use BIOS firmware. It's recommended that the system drive be approximately 350 MB in size. After BitLocker is turned on, it should have approximately 250 MB of free space
> [!IMPORTANT]
> When installed on a new device, Windows automatically creates the partitions that are required for BitLocker.
>
> An encrypted partition can't be marked as active.
When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
> [!NOTE]
> When installing the BitLocker optional component on a server, the Enhanced Storage feature also needs to be installed. The Enhanced Storage feature is used to support hardware encrypted drives.
[!INCLUDE [bitlocker](../../../../../includes/licensing/bitlocker-enablement.md)]

10
windows/security/operating-system-security/network-security/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
View File

@ -1,7 +1,7 @@
---
title: How to configure cryptographic settings for IKEv2 VPN connections
description: Learn how to update the IKEv2 cryptographic settings of VPN servers and clients by running VPN cmdlets to secure connections.
ms.date: 06/28/2023
ms.date: 08/03/2023
ms.topic: how-to
---
@ -9,8 +9,8 @@ ms.topic: how-to
In IKEv2 VPN connections, the default setting for IKEv2 cryptographic settings are:
- Encryption Algorithm : DES3
- Integrity, Hash Algorithm : SHA1
- Encryption Algorithm: DES3
- Integrity, Hash Algorithm: SHA1
- Diffie Hellman Group (Key Size): DH2
These settings aren't secure for IKE exchanges.
@ -44,8 +44,8 @@ Set-VpnConnectionIPsecConfiguration -ConnectionName <String>
The following commands configure the IKEv2 cryptographic settings to:
- Encryption Algorithm : AES128
- Integrity, Hash Algorithm : SHA256
- Encryption Algorithm: AES128
- Integrity, Hash Algorithm: SHA256
- Diffie Hellman Group (Key Size): DH14
### IKEv2 VPN Server

10
windows/security/operating-system-security/network-security/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
View File

@ -1,13 +1,13 @@
---
title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.date: 12/28/2022
ms.date: 08/03/2023
ms.topic: how-to
---
# How to use Single Sign-On (SSO) over VPN and Wi-Fi connections
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections. The following scenarios are typically used:
This article explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over Wi-Fi or VPN connections. The following scenarios are typically used:
- Connecting to a network using Wi-Fi or VPN
- Use credentials for Wi-Fi or VPN authentication to also authenticate requests to access domain resources, without being prompted for domain credentials
@ -17,15 +17,15 @@ For example, you want to connect to a corporate network and access an internal w
The credentials that are used for the connection authentication are placed in *Credential Manager* as the default credentials for the **logon session**. Credential Manager stores credentials that can be used for specific domain resources. These are based on the target name of the resource:
- For VPN, the VPN stack saves its credential as the **session default**
- For WiFi, Extensible Authentication Protocol (EAP) provides support
- For Wi-Fi, Extensible Authentication Protocol (EAP) provides support
The credentials are placed in Credential Manager as a *session credential*:
- A *session credential* implies that it is valid for the current user session
- The credentials are cleaned up when the WiFi or VPN connection is disconnected
- The credentials are cleaned up when the Wi-Fi or VPN connection is disconnected
> [!NOTE]
> In Windows 10, version 21H2 and later, the *session credential* is not visible in Credential Manager.
> In Windows 10, version 21H2 and later, the *session credential* isn't visible in Credential Manager.
For example, if someone using Microsoft Edge tries to access a domain resource, Microsoft Edge has the right Enterprise Authentication capability. This allows [WinInet](/windows/win32/wininet/wininet-reference) to release the credentials that it gets from Credential Manager to the SSP that is requesting it.
For more information about the Enterprise Authentication capability, see [App capability declarations](/windows/uwp/packaging/app-capability-declarations).

2
windows/security/operating-system-security/network-security/vpn/vpn-authentication.md
View File

@ -1,7 +1,7 @@
---
title: VPN authentication options
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.date: 06/20/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-auto-trigger-profile.md
View File

@ -1,7 +1,7 @@
---
title: VPN auto-triggered profile options
description: With auto-triggered VPN profile options, Windows can automatically establish a VPN connection based on IT admin-defined rules. Learn about the types of auto-trigger rules that you can create for VPN connections.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

10
windows/security/operating-system-security/network-security/vpn/vpn-conditional-access.md
View File

@ -1,7 +1,7 @@
---
title: VPN and conditional access
description: Learn how to integrate the VPN client with the Conditional Access platform, and how to create access rules for Azure Active Directory (Azure AD) connected apps.
ms.date: 05/23/2023
ms.date: 08/03/2023
ms.topic: conceptual
---
@ -17,10 +17,10 @@ Conditional Access Platform components used for Device Compliance include the fo
- [Conditional Access Framework](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
- [Azure AD Connect Health](/azure/active-directory/connect-health/active-directory-aadconnect-health)
- [Windows Health Attestation Service](../../system-security/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md) (optional)
- Azure AD Certificate Authority - It is a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA cannot be configured as part of an on-premises Enterprise CA.
- Azure AD Certificate Authority - It's a requirement that the client certificate used for the cloud-based device compliance solution be issued by an Azure Active Directory-based Certificate Authority (CA). An Azure AD CA is essentially a mini-CA cloud tenant in Azure. The Azure AD CA can't be configured as part of an on-premises Enterprise CA.
See also [Always On VPN deployment for Windows Server and Windows 10](/windows-server/remote/remote-access/vpn/always-on-vpn/deploy/always-on-vpn-deploy).
- Azure AD-issued short-lived certificates - When a VPN connection attempt is made, the Azure AD Token Broker on the local device communicates with Azure Active Directory, which then checks for health based on compliance rules. If compliant, Azure AD sends back a short-lived certificate that is used to authenticate the VPN. Note that certificate authentication methods such as EAP-TLS can be used. When the client reconnects and determines that the certificate has expired, the client will again check with Azure AD for health validation before a new certificate is issued.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started) - Cloud-based device compliance leverages Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- [Microsoft Intune device compliance policies](/mem/intune/protect/device-compliance-get-started): Cloud-based device compliance uses Microsoft Intune Compliance Policies, which are capable of querying the device state and define compliance rules for the following, among other things.
- Antivirus status
- Auto-update status and update compliance
- Password policy compliance
@ -35,7 +35,7 @@ The following client-side components are also required:
## VPN device compliance
At this time, the Azure AD certificates issued to users do not contain a CRL Distribution Point (CDP) and are not suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
At this time, the Azure AD certificates issued to users don't contain a CRL Distribution Point (CDP) and aren't suitable for Key Distribution Centers (KDCs) to issue Kerberos tokens. For users to gain access to on-premises resources such as files on a network share, client authentication certificates must be deployed to the Windows profiles of the users, and their VPNv2 profiles must contain the &lt;SSO&gt; section.
Server-side infrastructure requirements to support VPN device compliance include:
@ -91,7 +91,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 3)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-3)
- [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](/archive/blogs/tip_of_the_day/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4)
## Related topics
## Related articles
- [VPN technical guide](vpn-guide.md)
- [VPN connection types](vpn-connection-type.md)

5
windows/security/operating-system-security/network-security/vpn/vpn-connection-type.md
View File

@ -1,7 +1,7 @@
---
title: VPN connection types (Windows 10 and Windows 11)
title: VPN connection types
description: Learn about Windows VPN platform clients and the VPN connection-type features that can be configured.
ms.date: 05/24/2022
ms.date: 08/03/2023
ms.topic: conceptual
---
@ -16,6 +16,7 @@ There are many options for VPN clients. In Windows, the built-in plug-in and the
## Built-in VPN client
Tunneling protocols:
- [Internet Key Exchange version 2 (IKEv2)](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687731(v=ws.10)): configure the IPsec/IKE tunnel cryptographic properties using the **Cryptography Suite** setting in the [VPNv2 Configuration Service Provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
- [L2TP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687761(v=ws.10)): L2TP with pre-shared key (PSK) authentication can be configured using the **L2tpPsk** setting in the [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp).
- [PPTP](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff687676(v=ws.10))

2
windows/security/operating-system-security/network-security/vpn/vpn-guide.md
View File

@ -1,7 +1,7 @@
---
title: Windows VPN technical guide
description: Learn how to plan and configure Windows devices for your organization's VPN solution.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-name-resolution.md
View File

@ -1,7 +1,7 @@
---
title: VPN name resolution
description: Learn how name resolution works when using a VPN connection.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---

2
windows/security/operating-system-security/network-security/vpn/vpn-office-365-optimization.md
View File

@ -2,7 +2,7 @@
title: Optimize Microsoft 365 traffic for remote workers with the Windows VPN client
description: Learn how to optimize Microsoft 365 traffic for remote workers with the Windows VPN client
ms.topic: article
ms.date: 05/24/2023
ms.date: 08/03/2023
---
# Optimize Microsoft 365 traffic for remote workers with the Windows VPN client

5
windows/security/operating-system-security/network-security/vpn/vpn-profile-options.md
View File

@ -1,13 +1,13 @@
---
title: VPN profile options
description: Windows adds Virtual Private Network (VPN) profile options to help manage how users connect. VPNs give users secure remote access to the company network.
ms.date: 05/17/2018
ms.date: 08/03/2023
ms.topic: conceptual
---
# VPN profile options
Most of the VPN settings in Windows 10 and Windows 11 can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. All VPN settings in Windows 10 and Windows 11 can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
Most of the VPN settings in Windows can be configured in VPN profiles using Microsoft Intune or Microsoft Configuration Manager. VPN settings can be configured using the **ProfileXML** node in the [VPNv2 configuration service provider (CSP)](/windows/client-management/mdm/vpnv2-csp).
>[!NOTE]
>If you're not familiar with CSPs, read [Introduction to configuration service providers (CSPs)](/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers) first.
@ -38,7 +38,6 @@ The following table lists the VPN settings and whether the setting can be config
The ProfileXML node was added to the VPNv2 CSP to allow users to deploy VPN profile as a single blob. This node is useful for deploying profiles with features that aren't yet supported by MDMs. You can get more examples in the [ProfileXML XSD](/windows/client-management/mdm/vpnv2-profile-xsd) article.
## Sample Native VPN profile
The following sample is a sample Native VPN profile. This blob would fall under the ProfileXML node.

2
windows/security/operating-system-security/network-security/vpn/vpn-routing.md
View File

@ -1,5 +1,5 @@
---
ms.date: 05/24/2023
ms.date: 08/03/2023
title: VPN routing decisions
description: Learn about approaches that either send all data through a VPN or only selected data. The one you choose impacts capacity planning and security expectations.
ms.topic: conceptual

2
windows/security/operating-system-security/network-security/vpn/vpn-security-features.md
View File

@ -1,7 +1,7 @@
---
title: VPN security features
description: Learn about security features for VPN, including LockDown VPN and traffic filters.
ms.date: 05/24/2023
ms.date: 08/03/2023
ms.topic: conceptual
---