diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json index 1fc2ec8e56..00a95b4582 100644 --- a/.openpublishing.redirection.json +++ b/.openpublishing.redirection.json @@ -18956,10 +18956,10 @@ "redirect_document_id": false }, { - "source_path": "windows/privacy/data-processor-service-for-windows-enterprise-public-preview-terms.md", - "redirect_url": "/windows/privacy/windows-10-and-privacy-compliance", + "source_path": "windows/security/identity-protection/change-history-for-access-protection.md", + "redirect_url": "/windows/security/", "redirect_document_id": false - }, + } ] diff --git a/.vscode/settings.json b/.vscode/settings.json deleted file mode 100644 index f66a07d2e4..0000000000 --- a/.vscode/settings.json +++ /dev/null @@ -1,5 +0,0 @@ -{ - "cSpell.words": [ - "emie" - ] -} \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-abovelock.md b/windows/client-management/mdm/policy-csp-abovelock.md index 23c1bb8142..b872c74469 100644 --- a/windows/client-management/mdm/policy-csp-abovelock.md +++ b/windows/client-management/mdm/policy-csp-abovelock.md @@ -40,29 +40,30 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - - + + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark1
Businesscheck mark1YesYes
Enterprisecheck mark1YesYes
Educationcheck mark1
YesYes
@@ -83,7 +84,7 @@ Added in Windows 10, version 1607. Specifies whether or not the user can intera ADMX Info: -- GP English name: *Allow Cortana above lock screen* +- GP Friendly name: *Allow Cortana above lock screen* - GP name: *AllowCortanaAboveLock* - GP path: *Windows Components/Search* - GP ADMX file name: *Search.admx* @@ -106,29 +107,25 @@ The following list shows the supported values: - - + + + - + - - - - - + - + - - +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYes, starting in Windows 10, version 1607Yes
Enterprisecheck markYes, starting in Windows 10, version 1607Yes
Educationcheck mark
Yes, starting in Windows 10, version 1607Yes
@@ -159,16 +156,6 @@ The following list shows the supported values:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-accounts.md b/windows/client-management/mdm/policy-csp-accounts.md index 644ff6136e..ed466fe64a 100644 --- a/windows/client-management/mdm/policy-csp-accounts.md +++ b/windows/client-management/mdm/policy-csp-accounts.md @@ -42,36 +42,39 @@ manager: dansimp - - + + + - + + - - - - - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
Mobilecheck markYesYes
Mobile Enterprisecheck markYesYes
@@ -113,36 +116,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck markYesYes
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck markYesYes
Mobilecheck markYesYes
Mobile Enterprisecheck markYesYes
@@ -181,36 +192,44 @@ The following list shows the supported values: - - + + + - + + - + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark2YesYes
Businesscheck mark2YesYes
Enterprisecheck mark2YesYes
Educationcheck mark2YesYes
Mobilecheck mark2YesYes
Mobile Enterprisecheck mark2YesYes
@@ -246,15 +265,6 @@ The following list shows the supported values:
-Footnotes: -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. \ No newline at end of file diff --git a/windows/client-management/mdm/policy-csp-activexcontrols.md b/windows/client-management/mdm/policy-csp-activexcontrols.md index 0ed2ddc357..95c9e7d80b 100644 --- a/windows/client-management/mdm/policy-csp-activexcontrols.md +++ b/windows/client-management/mdm/policy-csp-activexcontrols.md @@ -14,6 +14,12 @@ manager: dansimp # Policy CSP - ActiveXControls +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -36,29 +42,28 @@ manager: dansimp - - + + + - + - - - - - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procheck mark
Businesscheck markYesYes
Enterprisecheck markYesYes
Educationcheck mark
YesYes
@@ -83,12 +88,6 @@ If you disable or do not configure this policy setting, ActiveX controls prompt Note: Wild card characters cannot be used when specifying the host URLs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -101,16 +100,6 @@ ADMX Info:
-Footnotes: - -- 1 - Available in Windows 10, version 1607. -- 2 - Available in Windows 10, version 1703. -- 3 - Available in Windows 10, version 1709. -- 4 - Available in Windows 10, version 1803. -- 5 - Available in Windows 10, version 1809. -- 6 - Available in Windows 10, version 1903. -- 7 - Available in Windows 10, version 1909. -- 8 - Available in Windows 10, version 2004. diff --git a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md index 67982daf0e..c574952e31 100644 --- a/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md +++ b/windows/client-management/mdm/policy-csp-admx-activexinstallservice.md @@ -13,8 +13,14 @@ manager: dansimp --- # Policy CSP - ADMX_ActiveXInstallService -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. + +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -36,29 +42,28 @@ manager: dansimp - - - + + + - + + - - - - - + + - + + - - + +
Windows EditionSupported?
EditionWindows 10Windows 11
Homecross markNoNo
Procross mark
Businesscross markYesYes
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -74,7 +79,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the installation of ActiveX controls for sites in Trusted zone. +This policy setting controls the installation of ActiveX controls for sites in Trusted zone. If you enable this policy setting, ActiveX controls are installed according to the settings defined by this policy setting. @@ -86,12 +91,6 @@ If the trusted site uses the HTTPS protocol, this policy setting can also contro > This policy setting applies to all sites in Trusted zones. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -104,8 +103,6 @@ ADMX Info:
-> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md index 0c7c4b543b..f7b9ef9ea1 100644 --- a/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md +++ b/windows/client-management/mdm/policy-csp-admx-addremoveprograms.md @@ -14,8 +14,13 @@ manager: dansimp # Policy CSP - ADMX_AddRemovePrograms -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). +
@@ -67,28 +72,33 @@ manager: dansimp - - + + + - + + - + + - + + - - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck mark
YesYes
Educationcross markYesYes
@@ -106,7 +116,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. +The policy setting specifies the category of programs that appears when users open the "Add New Programs" page. If you enable this setting, only the programs in the category you specify are displayed when the "Add New Programs" page opens. You can use the Category box on the "Add New Programs" page to display programs in other categories. To use this setting, type the name of a category in the Category box for this setting. You must enter a category that is already defined in Add or Remove Programs. To define a category, use Software Installation. @@ -116,12 +126,6 @@ If you disable this setting or do not configure it, all programs (Category: All) > This setting is ignored if either the "Remove Add or Remove Programs" setting or the "Hide Add New Programs page" setting is enabled. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -150,28 +154,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markYesYes
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -189,7 +199,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. +This policy setting removes the "Add a program from CD-ROM or floppy disk" section from the Add New Programs page. This prevents users from using Add or Remove Programs to install programs from removable media. If you disable this setting or do not configure it, the "Add a program from CD-ROM or floppy disk" option is available to all users. This setting does not prevent users from using other tools and methods to add or remove program components. @@ -197,12 +207,6 @@ If you disable this setting or do not configure it, the "Add a program from CD-R > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. Also, if the "Prevent removable media source for any install" setting (located in User Configuration\Administrative Templates\Windows Components\Windows Installer) is enabled, users cannot add programs from removable media, regardless of this setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -231,28 +235,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -270,7 +280,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. +This policy setting removes the "Add programs from Microsoft" section from the Add New Programs page. This setting prevents users from using Add or Remove Programs to connect to Windows Update. If you disable this setting or do not configure it, "Add programs from Microsoft" is available to all users. This setting does not prevent users from using other tools and methods to connect to Windows Update. @@ -278,12 +288,7 @@ If you disable this setting or do not configure it, "Add programs from Microsoft > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -312,28 +317,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -351,7 +362,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. +This policy setting prevents users from viewing or installing published programs. This setting removes the "Add programs from your network" section from the Add New Programs page. The "Add programs from your network" section lists published programs and provides an easy way to install them. Published programs are those programs that the system administrator has explicitly made available to the user with a tool such as Windows Installer. Typically, system administrators publish programs to notify users that the programs are available, to recommend their use, or to enable users to install them without having to search for installation files. If you enable this setting, users cannot tell which programs have been published by the system administrator, and they cannot use Add or Remove Programs to install published programs. However, they can still install programs by using other methods, and they can view and install assigned (partially installed) programs that are offered on the desktop or on the Start menu. @@ -361,12 +372,7 @@ If you disable this setting or do not configure it, "Add programs from your netw > If the "Hide Add New Programs page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -394,28 +400,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -433,17 +445,12 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. +This policy setting removes the Add New Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Add New Programs button lets users install programs published or assigned by a system administrator. If you disable this setting or do not configure it, the Add New Programs button is available to all users. This setting does not prevent users from using other tools and methods to install programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: @@ -472,28 +479,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -511,21 +524,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. +This policy setting prevents users from using Add or Remove Programs. This setting removes Add or Remove Programs from Control Panel and removes the Add or Remove Programs item from menus. Add or Remove Programs lets users install, uninstall, repair, add, and remove features and components of Windows 2000 Professional and a wide variety of Windows programs. Programs published or assigned to the user appear in Add or Remove Programs. If you disable this setting or do not configure it, Add or Remove Programs is available to all users. When enabled, this setting takes precedence over the other settings in this folder. This setting does not prevent users from using other tools and methods to install or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Remove Add or Remove Programs* +- GP Friendly name: *Remove Add or Remove Programs* - GP name: *NoAddRemovePrograms* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -550,28 +558,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -589,22 +603,17 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. +This policy setting removes the Set Program Access and Defaults button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Set Program Access and Defaults button lets administrators specify default programs for certain activities, such as Web browsing or sending e-mail, as well as which programs are accessible from the Start menu, desktop, and other locations. If you disable this setting or do not configure it, the Set Program Access and Defaults button is available to all users. This setting does not prevent users from using other tools and methods to change program access or defaults. This setting does not prevent the Set Program Access and Defaults icon from appearing on the Start menu. See the "Remove Set Program Access and Defaults from Start menu" setting. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide the Set Program Access and Defaults page* +- GP Friendly name: *Hide the Set Program Access and Defaults page* - GP name: *NoChooseProgramsPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -629,29 +638,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -668,21 +682,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. +This policy setting removes the Change or Remove Programs button from the Add or Remove Programs bar. As a result, users cannot view or change the attached page. The Change or Remove Programs button lets users uninstall, repair, add, or remove features of installed programs. If you disable this setting or do not configure it, the Change or Remove Programs page is available to all users. This setting does not prevent users from using other tools and methods to delete or uninstall programs. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Change or Remove Programs page* +- GP Friendly name: *Hide Change or Remove Programs page* - GP name: *NoRemovePage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -707,28 +716,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -746,7 +761,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. +This policy setting prevents users from using Add or Remove Programs to configure installed services. This setting removes the "Set up services" section of the Add/Remove Windows Components page. The "Set up services" section lists system services that have not been configured and offers users easy access to the configuration tools. If you disable this setting or do not configure it, "Set up services" appears only when there are unconfigured system services. If you enable this setting, "Set up services" never appears. This setting does not prevent users from using other methods to configure services. @@ -754,16 +769,11 @@ If you disable this setting or do not configure it, "Set up services" appears on > When "Set up services" does not appear, clicking the Add/Remove Windows Components button starts the Windows Component Wizard immediately. Because the only remaining option on the Add/Remove Windows Components page starts the wizard, that option is selected automatically, and the page is bypassed. To remove "Set up services" and prevent the Windows Component Wizard from starting, enable the "Hide Add/Remove Windows Components page" setting. If the "Hide Add/Remove Windows Components page" setting is enabled, this setting is ignored. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Go directly to Components Wizard* +- GP Friendly name: *Go directly to Components Wizard* - GP name: *NoServices* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -788,28 +798,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -827,7 +843,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. +This policy setting removes links to the Support Info dialog box from programs on the Change or Remove Programs page. Programs listed on the Change or Remove Programs page can include a "Click here for support information" hyperlink. When clicked, the hyperlink opens a dialog box that displays troubleshooting information, including a link to the installation files and data that users need to obtain product support, such as the Product ID and version number of the program. The dialog box also includes a hyperlink to support information on the Internet, such as the Microsoft Product Support Services Web page. If you disable this setting or do not configure it, the Support Info hyperlink appears. @@ -835,16 +851,10 @@ If you disable this setting or do not configure it, the Support Info hyperlink a > Not all programs provide a support information hyperlink. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: -- GP English name: *Remove Support Information* +- GP Friendly name: *Remove Support Information* - GP name: *NoSupportInfo* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -869,28 +879,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -908,21 +924,16 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. +This policy setting removes the Add/Remove Windows Components button from the Add or Remove Programs bar. As a result, users cannot view or change the associated page. The Add/Remove Windows Components button lets users configure installed services and use the Windows Component Wizard to add, remove, and configure components of Windows from the installation files. If you disable this setting or do not configure it, the Add/Remove Windows Components button is available to all users. This setting does not prevent users from using other tools and methods to configure services or add or remove program components. However, this setting blocks user access to the Windows Component Wizard. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). + ADMX Info: -- GP English name: *Hide Add/Remove Windows Components page* +- GP Friendly name: *Hide Add/Remove Windows Components page* - GP name: *NoWindowsSetupPage* - GP path: *Control Panel/Add or Remove Programs* - GP ADMX file name: *addremoveprograms.admx* @@ -939,8 +950,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-admx-appcompat.md b/windows/client-management/mdm/policy-csp-admx-appcompat.md index e145a37e11..2708da9adc 100644 --- a/windows/client-management/mdm/policy-csp-admx-appcompat.md +++ b/windows/client-management/mdm/policy-csp-admx-appcompat.md @@ -14,8 +14,12 @@ manager: dansimp # Policy CSP - ADMX_AppCompat -> [!WARNING] -> Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here. +> [!TIP] +> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). +> +> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). +> +> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect).
@@ -70,28 +74,34 @@ manager: dansimp - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -108,7 +118,7 @@ manager: dansimp -Available in the latest Windows 10 Insider Preview Build. This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. +This policy setting specifies whether to prevent the MS-DOS subsystem (**ntvdm.exe**) from running on this computer. This setting affects the launching of 16-bit applications in the operating system. You can use this setting to turn off the MS-DOS subsystem, which will reduce resource usage and prevent users from running 16-bit applications. To run any 16-bit application or any application with 16-bit components, **ntvdm.exe** must be allowed to run. The MS-DOS subsystem starts when the first 16-bit application is launched. While the MS-DOS subsystem is running, any subsequent 16-bit applications launch faster, but overall resource usage on the system is increased. @@ -122,12 +132,6 @@ If the status is set to Not Configured, the OS falls back on a local policy set > This setting appears only in Computer Configuration. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -147,28 +151,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -185,7 +195,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. +This policy setting controls the visibility of the Program Compatibility property page shell extension. This shell extension is visible on the property context-menu of any program shortcut or executable file. The compatibility property page displays a list of options that can be selected and applied to the application to resolve the most common issues affecting legacy applications. @@ -193,12 +203,6 @@ Enabling this policy setting removes the property page from the context-menus, b -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -218,28 +222,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -256,7 +266,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Application Telemetry engine in the system. +The policy setting controls the state of the Application Telemetry engine in the system. Application Telemetry is a mechanism that tracks anonymous usage of specific Windows system components by applications. @@ -268,12 +278,6 @@ Disabling telemetry will take effect on any newly launched applications. To ensu -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -293,28 +297,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -331,7 +341,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. The policy setting controls the state of the Switchback compatibility engine in the system. +The policy setting controls the state of the Switchback compatibility engine in the system. Switchback is a mechanism that provides generic compatibility mitigations to older applications by providing older behavior to old applications and new behavior to new applications. @@ -344,12 +354,6 @@ If you disable or do not configure this policy setting, the Switchback will be t Reboot the system after changing the setting to ensure that your system accurately reflects those changes. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -369,29 +373,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross mark
YesYes
@@ -407,7 +416,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the application compatibility engine in the system. +This policy setting controls the state of the application compatibility engine in the system. The engine is part of the loader and looks through a compatibility database every time an application is started on the system. If a match for the application is found it provides either run-time solutions or compatibility fixes, or displays an Application Help message if the application has a know problem. @@ -422,12 +431,6 @@ This option is useful to server administrators who require faster performance an -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -447,28 +450,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -485,16 +494,10 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. +This policy setting exists only for backward compatibility, and is not valid for this version of Windows. To configure the Program Compatibility Assistant, use the 'Turn off Program Compatibility Assistant' setting under Computer Configuration\Administrative Templates\Windows Components\Application Compatibility. -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -514,28 +517,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -552,7 +561,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. +This policy setting controls the state of the Program Compatibility Assistant (PCA). The PCA monitors applications run by the user. When a potential compatibility issue with an application is detected, the PCA will prompt the user with recommended solutions. To configure the diagnostic settings for the PCA, go to System->Troubleshooting and Diagnostics->Application Compatibility Diagnostics. If you enable this policy setting, the PCA will be turned off. The user will not be presented with solutions to known compatibility issues when running applications. Turning off the PCA can be useful for system administrators who require better performance and are already aware of application compatibility issues. @@ -563,12 +572,6 @@ If you disable or do not configure this policy setting, the PCA will be turned o -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -588,28 +591,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -626,7 +635,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of Steps Recorder. +This policy setting controls the state of Steps Recorder. Steps Recorder keeps a record of steps taken by the user. The data generated by Steps Recorder can be used in feedback systems such as Windows Error Reporting to help developers understand and fix problems. The data includes user actions such as keyboard input and mouse input, user interface data, and screenshots. Steps Recorder includes an option to turn on and off data collection. @@ -636,12 +645,6 @@ If you disable or do not configure this policy setting, Steps Recorder will be e -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -661,28 +664,34 @@ ADMX Info: - - + + + - + + - + + - + + - + + - + +
Windows EditionSupported?EditionWindows 10Windows 11
Homecross markNoNo
Procross markNoNo
Businesscross markNoNo
Enterprisecheck markYesYes
Educationcross markYesYes
@@ -699,7 +708,7 @@ ADMX Info: -Available in the latest Windows 10 Insider Preview Build. This policy setting controls the state of the Inventory Collector. +This policy setting controls the state of the Inventory Collector. The Inventory Collector inventories applications, files, devices, and drivers on the system and sends the information to Microsoft. This information is used to help diagnose compatibility problems. @@ -712,12 +721,6 @@ If you disable or do not configure this policy setting, the Inventory Collector -> [!TIP] -> This is an ADMX-backed policy and requires a special SyncML format to enable or disable. For details, see [Understanding ADMX-backed policies](./understanding-admx-backed-policies.md). -> -> You must specify the data type in the SyncML as <Format>chr</Format>. For an example SyncML, refer to [Enabling a policy](./understanding-admx-backed-policies.md#enabling-a-policy). -> -> The payload of the SyncML must be XML-encoded; for this XML encoding, there are a variety of online encoders that you can use. To avoid encoding the payload, you can use CDATA if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). ADMX Info: @@ -729,8 +732,6 @@ ADMX Info: -> [!NOTE] -> These policies are currently only available as part of a Windows Insider release. diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md index 1c0cdcacb8..e181048e21 100644 --- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md +++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md @@ -5,16 +5,15 @@ ms.author: dansimp ms.topic: article ms.prod: w10 ms.technology: windows -author: manikadhiman +author: dansimp ms.localizationpriority: medium -ms.date: 05/02/2021 +ms.date: 09/29/2021 ms.reviewer: manager: dansimp --- # Policy CSP - LocalPoliciesSecurityOptions -
@@ -164,11 +163,10 @@ manager: dansimp -
> [!NOTE] -> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). +> To find data formats (and other policy-related details), see [Policy DDF file](./policy-ddf-file.md). **LocalPoliciesSecurityOptions/Accounts_BlockMicrosoftAccounts** @@ -304,9 +302,8 @@ This security setting determines whether local accounts that are not password pr Default: Enabled. -Warning: - -Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. +> [!WARNING] +> Computers that are not in physically secure locations should always enforce strong password policies for all local user accounts. Otherwise, anyone with physical access to the computer can log on by using a user account that does not have a password. This is especially important for portable computers. If you apply this security policy to the Everyone group, no one will be able to log on through Remote Desktop Services. This setting does not affect logons that use domain accounts. @@ -524,9 +521,8 @@ Devices: Allow undock without having to log on. This security setting determines whether a portable computer can be undocked without having to log on. If this policy is enabled, logon is not required and an external hardware eject button can be used to undock the computer. If disabled, a user must log on and have the Remove computer from docking station privilege to undock the computer. Default: Enabled. -Caution: - -Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. +> [!CAUTION] +> Disabling this policy may tempt users to try and physically remove the laptop from its docking station using methods other than the external hardware eject button. Since this may cause damage to the hardware, this setting, in general, should only be disabled on laptop configurations that are physically securable. @@ -666,7 +662,7 @@ For a computer to print to a shared printer, the driver for that shared printer Default on servers: Enabled. Default on workstations: Disabled ->[!Note] +>[!NOTE] >This setting does not affect the ability to add a local printer. This setting does not affect Administrators. @@ -1413,14 +1409,14 @@ If this setting is enabled, the Microsoft network client will not communicate wi Default: Disabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component.Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1493,16 +1489,16 @@ If this setting is enabled, the Microsoft network client will ask the server to Default: Enabled. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> [!Note] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. -For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1728,16 +1724,16 @@ If this setting is enabled, the Microsoft network server will not communicate wi Default: Disabled for member servers. Enabled for domain controllers. ->[!Note] ->All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> [!NOTE] +> All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. > ->Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. ->If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). +> Similarly, if client-side SMB signing is required, that client will not be able to establish a session with servers that do not have packet signing enabled. By default, server-side SMB signing is enabled only on domain controllers. +> If server-side SMB signing is enabled, SMB packet signing will be negotiated with clients that have client-side SMB signing enabled. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1810,15 +1806,15 @@ If this setting is enabled, the Microsoft network server will negotiate SMB pack Default: Enabled on domain controllers only. ->[!Note] +> [!NOTE] > All Windows operating systems support both a client-side SMB component and a server-side SMB component. Enabling or requiring packet signing for client and server-side SMB components is controlled by the following four policy settings: ->- Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. ->- Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. ->- Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. ->- Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. ->If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. +> - Microsoft network client: Digitally sign communications (always) - Controls whether or not the client-side SMB component requires packet signing. +> - Microsoft network client: Digitally sign communications (if server agrees) - Controls whether or not the client-side SMB component has packet signing enabled. +> - Microsoft network server: Digitally sign communications (always) - Controls whether or not the server-side SMB component requires packet signing. +> - Microsoft network server: Digitally sign communications (if client agrees) - Controls whether or not the server-side SMB component has packet signing enabled. +> If both client-side and server-side SMB signing is enabled and the client establishes an SMB 1.0 connection to the server, SMB signing will be attempted. > ->SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. +> SMB packet signing can significantly degrade SMB performance, depending on dialect version, OS version, file sizes, processor offloading capabilities, and application IO behaviors. This setting only applies to SMB 1.0 connections. For more information, reference: [Reduced performance after SMB Encryption or SMB Signing is enabled - Windows Server | Microsoft Docs](/troubleshoot/windows-server/networking/reduced-performance-after-smb-encryption-signing). @@ -1896,8 +1892,8 @@ Disabled: No additional restrictions. Rely on default permissions. Default on workstations: Enabled. Default on server:Enabled. ->[!Important] ->This policy has no impact on domain controllers. +> [!IMPORTANT] +> This policy has no impact on domain controllers. @@ -3189,8 +3185,9 @@ This policy setting controls the behavior of the elevation prompt for administra The options are: - 0 - Elevate without prompting: Allows privileged accounts to perform an operation that requires elevation without requiring consent or credentials. - > [!NOTE] - > Use this option only in the most constrained environments. + + > [!NOTE] + > Use this option only in the most constrained environments. - 1 - Prompt for credentials on the secure desktop: When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a privileged user name and password. If the user enters valid credentials, the operation continues with the user's highest available privilege. @@ -3565,8 +3562,10 @@ This policy setting controls the behavior of all User Account Control (UAC) poli The options are: - 0 - Disabled: Admin Approval Mode and all related UAC policy settings are disabled. - > [!NOTE] - > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + + > [!NOTE] + > If this policy setting is disabled, the Security Center notifies you that the overall security of the operating system has been reduced. + - 1 - Enabled: (Default) Admin Approval Mode is enabled. This policy must be enabled and related UAC policy settings must also be set appropriately to allow the built-in Administrator account and all other users who are members of the Administrators group to run in Admin Approval Mode. diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md index 63c9c6aa24..546749d1dd 100644 --- a/windows/deployment/update/deployment-service-overview.md +++ b/windows/deployment/update/deployment-service-overview.md @@ -81,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform, ### Using Microsoft Endpoint Manager -Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates). +Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates). ### Scripting common actions using PowerShell @@ -115,7 +115,7 @@ You should continue to use deployment rings as part of the servicing strategy fo ### Monitoring deployments to detect rollback issues -During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. +During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues. ### How to enable deployment protections @@ -124,21 +124,16 @@ Deployment scheduling controls are always available, but to take advantage of th #### Device prerequisites -> [!NOTE] -> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect. - - Diagnostic data is set to *Required* or *Optional*. - The **AllowWUfBCloudProcessing** policy is set to **8**. #### Set the **AllowWUfBCloudProcessing** policy -To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy. - -> [!NOTE] -> Setting this policy by using Group Policy isn't currently supported. +To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy. | Policy | Sets registry key under **HKLM\\Software** | |--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------| +| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing | | MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing | Following is an example of setting the policy using Microsoft Endpoint Manager: @@ -184,5 +179,5 @@ Avoid using different channels to manage the same resources. If you use Microsof To learn more about the deployment service, try the following: -- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates) +- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates) - [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview) diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml index 70e61e303f..d150e02df0 100644 --- a/windows/security/TOC.yml +++ b/windows/security/TOC.yml @@ -1,9 +1,470 @@ -- name: Security + +- name: Windows security href: index.yml +- name: Zero Trust and Windows + href: zero-trust-windows-device-health.md + expanded: true +- name: Hardware security items: - - name: Identity and access management - href: identity-protection/index.md - - name: Information protection - href: information-protection/index.md - - name: Threat protection - href: threat-protection/index.md + - name: Overview + href: hardware.md + - name: Trusted Platform Module + href: information-protection/tpm/trusted-platform-module-top-node.md + items: + - name: Trusted Platform Module Overview + href: information-protection/tpm/trusted-platform-module-overview.md + - name: TPM fundamentals + href: information-protection/tpm/tpm-fundamentals.md + - name: How Windows uses the TPM + href: information-protection/tpm/how-windows-uses-the-tpm.md + - name: TPM Group Policy settings + href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md + - name: Back up the TPM recovery information to AD DS + href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md + - name: View status, clear, or troubleshoot the TPM + href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md + - name: Understanding PCR banks on TPM 2.0 devices + href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md + - name: TPM recommendations + href: information-protection/tpm/tpm-recommendations.md + - name: Hardware-based root of trust + href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - name: System Guard Secure Launch and SMM protection + href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - name: Enable virtualization-based protection of code integrity + href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - name: Kernel DMA Protection + href: information-protection/kernel-dma-protection-for-thunderbolt.md + - name: Windows secured-core devices + href: /windows-hardware/design/device-experiences/oem-highly-secure +- name: Operating system security + items: + - name: Overview + href: operating-system.md + - name: System security + items: + - name: Secure the Windows boot process + href: information-protection/secure-the-windows-10-boot-process.md + - name: Trusted Boot + href: trusted-boot.md + - name: Cryptography and certificate management + href: cryptography-certificate-mgmt.md + - name: The Windows Security app + href: threat-protection/windows-defender-security-center/windows-defender-security-center.md + items: + - name: Virus & threat protection + href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md + - name: Account protection + href: threat-protection\windows-defender-security-center\wdsc-account-protection.md + - name: Firewall & network protection + href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md + - name: App & browser control + href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md + - name: Device security + href: threat-protection\windows-defender-security-center\wdsc-device-security.md + - name: Device performance & health + href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md + - name: Family options + href: threat-protection\windows-defender-security-center\wdsc-family-options.md + - name: Security policy settings + href: threat-protection/security-policy-settings/security-policy-settings.md + - name: Security auditing + href: threat-protection/auditing/security-auditing-overview.md + - name: Encryption and data protection + href: encryption-data-protection.md + items: + - name: Encrypted Hard Drive + href: information-protection/encrypted-hard-drive.md + - name: BitLocker + href: information-protection/bitlocker/bitlocker-overview.md + items: + - name: Overview of BitLocker Device Encryption in Windows + href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md + - name: BitLocker frequently asked questions (FAQ) + href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml + items: + - name: Overview and requirements + href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml + - name: Upgrading + href: information-protection/bitlocker/bitlocker-upgrading-faq.yml + - name: Deployment and administration + href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml + - name: Key management + href: information-protection/bitlocker/bitlocker-key-management-faq.yml + - name: BitLocker To Go + href: information-protection/bitlocker/bitlocker-to-go-faq.yml + - name: Active Directory Domain Services + href: information-protection/bitlocker/bitlocker-and-adds-faq.yml + - name: Security + href: information-protection/bitlocker/bitlocker-security-faq.yml + - name: BitLocker Network Unlock + href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml + - name: General + href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml + - name: "Prepare your organization for BitLocker: Planning and policies" + href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md + - name: BitLocker deployment comparison + href: information-protection/bitlocker/bitlocker-deployment-comparison.md + - name: BitLocker basic deployment + href: information-protection/bitlocker/bitlocker-basic-deployment.md + - name: Deploy BitLocker on Windows Server 2012 and later + href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md + - name: BitLocker management for enterprises + href: information-protection/bitlocker/bitlocker-management-for-enterprises.md + - name: Enable Network Unlock with BitLocker + href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md + - name: Use BitLocker Drive Encryption Tools to manage BitLocker + href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md + - name: Use BitLocker Recovery Password Viewer + href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md + - name: BitLocker Group Policy settings + href: information-protection/bitlocker/bitlocker-group-policy-settings.md + - name: BCD settings and BitLocker + href: information-protection/bitlocker/bcd-settings-and-bitlocker.md + - name: BitLocker Recovery Guide + href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md + - name: BitLocker Countermeasures + href: information-protection/bitlocker/bitlocker-countermeasures.md + - name: Protecting cluster shared volumes and storage area networks with BitLocker + href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md + - name: Troubleshoot BitLocker + items: + - name: Troubleshoot BitLocker + href: information-protection/bitlocker/troubleshoot-bitlocker.md + - name: "BitLocker cannot encrypt a drive: known issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md + - name: "Enforcing BitLocker policies by using Intune: known issues" + href: information-protection/bitlocker/ts-bitlocker-intune-issues.md + - name: "BitLocker Network Unlock: known issues" + href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md + - name: "BitLocker recovery: known issues" + href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md + - name: "BitLocker configuration: known issues" + href: information-protection/bitlocker/ts-bitlocker-config-issues.md + - name: Troubleshoot BitLocker and TPM issues + items: + - name: "BitLocker cannot encrypt a drive: known TPM issues" + href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md + - name: "BitLocker and TPM: other known issues" + href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md + - name: Decode Measured Boot logs to track PCR changes + href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md + - name: Configure S/MIME for Windows + href: identity-protection/configure-s-mime.md + - name: Network security + items: + - name: VPN technical guide + href: identity-protection/vpn/vpn-guide.md + items: + - name: VPN connection types + href: identity-protection/vpn/vpn-connection-type.md + - name: VPN routing decisions + href: identity-protection/vpn/vpn-routing.md + - name: VPN authentication options + href: identity-protection/vpn/vpn-authentication.md + - name: VPN and conditional access + href: identity-protection/vpn/vpn-conditional-access.md + - name: VPN name resolution + href: identity-protection/vpn/vpn-name-resolution.md + - name: VPN auto-triggered profile options + href: identity-protection/vpn/vpn-auto-trigger-profile.md + - name: VPN security features + href: identity-protection/vpn/vpn-security-features.md + - name: VPN profile options + href: identity-protection/vpn/vpn-profile-options.md + - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections + href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md + - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections + href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md + - name: Optimizing Office 365 traffic with the Windows VPN client + href: identity-protection/vpn/vpn-office-365-optimization.md + - name: Windows Defender Firewall + href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - name: Windows security baselines + href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + items: + - name: Security Compliance Toolkit + href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md + - name: Get support + href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md + - name: Virus & threat protection + items: + - name: Overview + href: threat-protection/index.md + - name: Microsoft Defender Antivirus + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows + - name: Attack surface reduction rules + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction + - name: Tamper protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection + - name: Network protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection + - name: Controlled folder access + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders + - name: Exploit protection + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection + - name: Microsoft Defender for Endpoint + href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint + - name: Security intelligence + href: threat-protection/intelligence/index.md + items: + - name: Understand malware & other threats + href: threat-protection/intelligence/understanding-malware.md + items: + - name: Prevent malware infection + href: threat-protection/intelligence/prevent-malware-infection.md + - name: Malware names + href: threat-protection/intelligence/malware-naming.md + - name: Coin miners + href: threat-protection/intelligence/coinminer-malware.md + - name: Exploits and exploit kits + href: threat-protection/intelligence/exploits-malware.md + - name: Fileless threats + href: threat-protection/intelligence/fileless-threats.md + - name: Macro malware + href: threat-protection/intelligence/macro-malware.md + - name: Phishing + href: threat-protection/intelligence/phishing.md + - name: Ransomware + href: /security/compass/human-operated-ransomware + - name: Rootkits + href: threat-protection/intelligence/rootkits-malware.md + - name: Supply chain attacks + href: threat-protection/intelligence/supply-chain-malware.md + - name: Tech support scams + href: threat-protection/intelligence/support-scams.md + - name: Trojans + href: threat-protection/intelligence/trojans-malware.md + - name: Unwanted software + href: threat-protection/intelligence/unwanted-software.md + - name: Worms + href: threat-protection/intelligence/worms-malware.md + - name: How Microsoft identifies malware and PUA + href: threat-protection/intelligence/criteria.md + - name: Submit files for analysis + href: threat-protection/intelligence/submission-guide.md + - name: Safety Scanner download + href: threat-protection/intelligence/safety-scanner-download.md + - name: Industry collaboration programs + href: threat-protection/intelligence/cybersecurity-industry-partners.md + items: + - name: Virus information alliance + href: threat-protection/intelligence/virus-information-alliance-criteria.md + - name: Microsoft virus initiative + href: threat-protection/intelligence/virus-initiative-criteria.md + - name: Coordinated malware eradication + href: threat-protection/intelligence/coordinated-malware-eradication.md + - name: Information for developers + items: + - name: Software developer FAQ + href: threat-protection/intelligence/developer-faq.yml + - name: Software developer resources + href: threat-protection/intelligence/developer-resources.md + - name: More Windows security + items: + - name: Override Process Mitigation Options to help enforce app-related security policies + href: threat-protection/override-mitigation-options-for-app-related-security-policies.md + - name: Use Windows Event Forwarding to help with intrusion detection + href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md + - name: Block untrusted fonts in an enterprise + href: threat-protection/block-untrusted-fonts-in-enterprise.md + - name: Windows Information Protection (WIP) + href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md + items: + - name: Create a WIP policy using Microsoft Intune + href: information-protection/windows-information-protection/overview-create-wip-policy.md + items: + - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md + items: + - name: Deploy your WIP policy using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md + - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune + href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Create a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md + items: + - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager + href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md + - name: Create and verify an EFS Data Recovery Agent (DRA) certificate + href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md + - name: Determine the Enterprise Context of an app running in WIP + href: information-protection/windows-information-protection/wip-app-enterprise-context.md + - name: Mandatory tasks and settings required to turn on WIP + href: information-protection/windows-information-protection/mandatory-settings-for-wip.md + - name: Testing scenarios for WIP + href: information-protection/windows-information-protection/testing-scenarios-for-wip.md + - name: Limitations while using WIP + href: information-protection/windows-information-protection/limitations-with-wip.md + - name: How to collect WIP audit event logs + href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md + - name: General guidance and best practices for WIP + href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md + items: + - name: Enlightened apps for use with WIP + href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md + - name: Unenlightened and enlightened app behavior while using WIP + href: information-protection/windows-information-protection/app-behavior-with-wip.md + - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP + href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md + - name: Using Outlook Web Access with WIP + href: information-protection/windows-information-protection/using-owa-with-wip.md + - name: Fine-tune WIP Learning + href: information-protection/windows-information-protection/wip-learning.md +- name: Application security + items: + - name: Overview + href: apps.md + - name: Windows Defender Application Control and virtualization-based protection of code integrity + href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - name: Windows Defender Application Control + href: threat-protection\windows-defender-application-control\windows-defender-application-control.md + - name: Microsoft Defender Application Guard + href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md + - name: Windows Sandbox + href: threat-protection/windows-sandbox/windows-sandbox-overview.md + items: + - name: Windows Sandbox architecture + href: threat-protection/windows-sandbox/windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md + - name: Microsoft Defender SmartScreen overview + href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - name: Configure S/MIME for Windows + href: identity-protection\configure-s-mime.md + - name: Windows Credential Theft Mitigation Guide Abstract + href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md +- name: User security and secured identity + items: + - name: Overview + href: identity.md + - name: Windows Hello for Business + href: identity-protection/hello-for-business/index.yml + - name: Windows credential theft mitigation guide + href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - name: Enterprise Certificate Pinning + href: identity-protection/enterprise-certificate-pinning.md + - name: Protect derived domain credentials with Credential Guard + href: identity-protection/credential-guard/credential-guard.md + items: + - name: How Credential Guard works + href: identity-protection/credential-guard/credential-guard-how-it-works.md + - name: Credential Guard Requirements + href: identity-protection/credential-guard/credential-guard-requirements.md + - name: Manage Credential Guard + href: identity-protection/credential-guard/credential-guard-manage.md + - name: Hardware readiness tool + href: identity-protection/credential-guard/dg-readiness-tool.md + - name: Credential Guard protection limits + href: identity-protection/credential-guard/credential-guard-protection-limits.md + - name: Considerations when using Credential Guard + href: identity-protection/credential-guard/credential-guard-considerations.md + - name: "Credential Guard: Additional mitigations" + href: identity-protection/credential-guard/additional-mitigations.md + - name: "Credential Guard: Known issues" + href: identity-protection/credential-guard/credential-guard-known-issues.md + - name: Protect Remote Desktop credentials with Remote Credential Guard + href: identity-protection/remote-credential-guard.md + - name: Technical support policy for lost or forgotten passwords + href: identity-protection/password-support-policy.md + - name: Access Control Overview + href: identity-protection/access-control/access-control.md + items: + - name: Dynamic Access Control Overview + href: identity-protection/access-control/dynamic-access-control.md + - name: Security identifiers + href: identity-protection/access-control/security-identifiers.md + - name: Security Principals + href: identity-protection/access-control/security-principals.md + - name: Local Accounts + href: identity-protection/access-control/local-accounts.md + - name: Active Directory Accounts + href: identity-protection/access-control/active-directory-accounts.md + - name: Microsoft Accounts + href: identity-protection/access-control/microsoft-accounts.md + - name: Service Accounts + href: identity-protection/access-control/service-accounts.md + - name: Active Directory Security Groups + href: identity-protection/access-control/active-directory-security-groups.md + - name: Special Identities + href: identity-protection/access-control/special-identities.md + - name: User Account Control + href: identity-protection/user-account-control/user-account-control-overview.md + items: + - name: How User Account Control works + href: identity-protection/user-account-control/how-user-account-control-works.md + - name: User Account Control security policy settings + href: identity-protection/user-account-control/user-account-control-security-policy-settings.md + - name: User Account Control Group Policy and registry key settings + href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md + - name: Smart Cards + href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md + items: + - name: How Smart Card Sign-in Works in Windows + href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md + items: + - name: Smart Card Architecture + href: identity-protection/smart-cards/smart-card-architecture.md + - name: Certificate Requirements and Enumeration + href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md + - name: Smart Card and Remote Desktop Services + href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md + - name: Smart Cards for Windows Service + href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md + - name: Certificate Propagation Service + href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md + - name: Smart Card Removal Policy Service + href: identity-protection/smart-cards/smart-card-removal-policy-service.md + - name: Smart Card Tools and Settings + href: identity-protection/smart-cards/smart-card-tools-and-settings.md + items: + - name: Smart Cards Debugging Information + href: identity-protection/smart-cards/smart-card-debugging-information.md + - name: Smart Card Group Policy and Registry Settings + href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md + - name: Smart Card Events + href: identity-protection/smart-cards/smart-card-events.md + - name: Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md + items: + - name: Understanding and Evaluating Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md + items: + - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" + href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md + - name: Use Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md + - name: Deploy Virtual Smart Cards + href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md + - name: Evaluate Virtual Smart Card Security + href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md + - name: Tpmvscmgr + href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md +- name: Cloud services + items: + - name: Overview + href: cloud.md + - name: Mobile device management + href: https://docs.microsoft.com/windows/client-management/mdm/ + - name: Windows 365 Cloud PCs + href: /windows-365/overview + - name: Azure Virtual Desktop + href: /azure/virtual-desktop/ +- name: Security foundations + items: + - name: Overview + href: security-foundations.md + - name: Microsoft Security Development Lifecycle + href: threat-protection/msft-security-dev-lifecycle.md + - name: Microsoft Bug Bounty Program + href: threat-protection/microsoft-bug-bounty-program.md + - name: FIPS 140-2 Validation + href: threat-protection/fips-140-validation.md + - name: Common Criteria Certifications + href: threat-protection/windows-platform-common-criteria.md +- name: Windows Privacy + href: /windows/privacy/windows-10-and-privacy-compliance diff --git a/windows/security/apps.md b/windows/security/apps.md new file mode 100644 index 0000000000..e376d06d98 --- /dev/null +++ b/windows/security/apps.md @@ -0,0 +1,28 @@ +--- +title: Windows application security +description: Get an overview of application security in Windows 10 and Windows 11 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows application security + +Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security. + +The following table summarizes the Windows security features and capabilities for apps:

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) | +| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). | +| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md) +| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) | +| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) | diff --git a/windows/security/cloud.md b/windows/security/cloud.md new file mode 100644 index 0000000000..7bccc2aa84 --- /dev/null +++ b/windows/security/cloud.md @@ -0,0 +1,39 @@ +--- +title: Windows and cloud security +description: Get an overview of cloud services supported in Windows 11 and Windows 10 +ms.reviewer: +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/20/2021 +ms.localizationpriority: medium +ms.custom: +f1.keywords: NOCSH +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +search.appverid: MET150 +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows and cloud security + +Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats. + +Windows 11 includes the cloud services that are listed in the following table:

+ +| Service type | Description | +|:---|:---| +| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.

Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.

To learn more, see [Mobile device management](/windows/client-management/mdm/). | +| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.

The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.

To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).| +| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.

The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).

In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). | +| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.

With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.

To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) | + +## Next steps + +- [Learn more about MDM and Windows 11](/windows/client-management/mdm/) +- [Learn more about Windows security](index.yml) \ No newline at end of file diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md new file mode 100644 index 0000000000..7c781c1bdf --- /dev/null +++ b/windows/security/cryptography-certificate-mgmt.md @@ -0,0 +1,43 @@ +--- +title: Cryptography and Certificate Management +description: Get an overview of cryptography and certificate management in Windows +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/07/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: skhadeer, raverma +f1.keywords: NOCSH +--- + +# Cryptography and Certificate Management + + +## Cryptography + +Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets. + +Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources. + +Windows cryptographic modules provide low-level primitives such as: + +- Random number generators (RNG) +- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521) +- Hashing (support for SHA-256, SHA-384, and SHA-512) +- Signing and verification (padding support for OAEP, PSS, PKCS1) +- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF) + +These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG). + +## Certificate management + +Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately. + +Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer. diff --git a/windows/security/docfx.json b/windows/security/docfx.json index 3a997cd1e9..d1a625e8bd 100644 --- a/windows/security/docfx.json +++ b/windows/security/docfx.json @@ -48,7 +48,7 @@ "folder_relative_path_in_docset": "./" } }, - "titleSuffix": "Microsoft 365 Security", + "titleSuffix": "Windows security", "contributors_to_exclude": [ "rjagiewich", "traya1", diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md new file mode 100644 index 0000000000..359afde71f --- /dev/null +++ b/windows/security/encryption-data-protection.md @@ -0,0 +1,54 @@ +--- +title: Encryption and data protection in Windows +description: Get an overview encryption and data protection in Windows 11 and Windows 10 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/08/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: deepakm, rafals +f1.keywords: NOCSH +--- + +# Encryption and data protection in Windows client + +When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. +Encryption and data protection features include: + +- Encrypted Hard Drive +- BitLocker + +## Encrypted Hard Drive + +Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management. +By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity. + +Encrypted hard drives provide: + +- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation. +- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system. +- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive. +- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process. + +Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption. + +## BitLocker + +BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. + +BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM. + +Windows consistently improves data protection by improving existing options and providing new strategies. + + +## See also + +- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md) +- [BitLocker](information-protection/bitlocker/bitlocker-overview.md) diff --git a/windows/security/hardware.md b/windows/security/hardware.md new file mode 100644 index 0000000000..435dd886c2 --- /dev/null +++ b/windows/security/hardware.md @@ -0,0 +1,27 @@ +--- +title: Windows hardware security +description: Get an overview of hardware security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows hardware security + +Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. +These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.

Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). | +| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.

Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). | +| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.

Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md). +| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.

Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). | +| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.

Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.

Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).| diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml deleted file mode 100644 index 5e4680879e..0000000000 --- a/windows/security/identity-protection/TOC.yml +++ /dev/null @@ -1,132 +0,0 @@ -- name: Identity and access management - href: index.md - items: - - name: Technical support policy for lost or forgotten passwords - href: password-support-policy.md - - name: Access Control Overview - href: access-control/access-control.md - items: - - name: Dynamic Access Control Overview - href: access-control/dynamic-access-control.md - - name: Security identifiers - href: access-control/security-identifiers.md - - name: Security Principals - href: access-control/security-principals.md - - name: Local Accounts - href: access-control/local-accounts.md - - name: Active Directory Accounts - href: access-control/active-directory-accounts.md - - name: Microsoft Accounts - href: access-control/microsoft-accounts.md - - name: Service Accounts - href: access-control/service-accounts.md - - name: Active Directory Security Groups - href: access-control/active-directory-security-groups.md - - name: Special Identities - href: access-control/special-identities.md - - name: User Account Control - href: user-account-control\user-account-control-overview.md - items: - - name: How User Account Control works - href: user-account-control\how-user-account-control-works.md - - name: User Account Control security policy settings - href: user-account-control\user-account-control-security-policy-settings.md - - name: User Account Control Group Policy and registry key settings - href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md - - name: Windows Hello for Business - href: hello-for-business/index.yml - - name: Protect derived domain credentials with Credential Guard - href: credential-guard/credential-guard.md - items: - - name: How Credential Guard works - href: credential-guard/credential-guard-how-it-works.md - - name: Credential Guard Requirements - href: credential-guard/credential-guard-requirements.md - - name: Manage Credential Guard - href: credential-guard/credential-guard-manage.md - - name: Hardware readiness tool - href: credential-guard/dg-readiness-tool.md - - name: Credential Guard protection limits - href: credential-guard/credential-guard-protection-limits.md - - name: Considerations when using Credential Guard - href: credential-guard/credential-guard-considerations.md - - name: "Credential Guard: Additional mitigations" - href: credential-guard/additional-mitigations.md - - name: "Credential Guard: Known issues" - href: credential-guard/credential-guard-known-issues.md - - name: Protect Remote Desktop credentials with Remote Credential Guard - href: remote-credential-guard.md - - name: Smart Cards - href: smart-cards/smart-card-windows-smart-card-technical-reference.md - items: - - name: How Smart Card Sign-in Works in Windows - href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md - items: - - name: Smart Card Architecture - href: smart-cards/smart-card-architecture.md - - name: Certificate Requirements and Enumeration - href: smart-cards/smart-card-certificate-requirements-and-enumeration.md - - name: Smart Card and Remote Desktop Services - href: smart-cards/smart-card-and-remote-desktop-services.md - - name: Smart Cards for Windows Service - href: smart-cards/smart-card-smart-cards-for-windows-service.md - - name: Certificate Propagation Service - href: smart-cards/smart-card-certificate-propagation-service.md - - name: Smart Card Removal Policy Service - href: smart-cards/smart-card-removal-policy-service.md - - name: Smart Card Tools and Settings - href: smart-cards/smart-card-tools-and-settings.md - items: - - name: Smart Cards Debugging Information - href: smart-cards/smart-card-debugging-information.md - - name: Smart Card Group Policy and Registry Settings - href: smart-cards/smart-card-group-policy-and-registry-settings.md - - name: Smart Card Events - href: smart-cards/smart-card-events.md - - name: Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-overview.md - items: - - name: Understanding and Evaluating Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md - items: - - name: "Get Started with Virtual Smart Cards: Walkthrough Guide" - href: virtual-smart-cards\virtual-smart-card-get-started.md - - name: Use Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md - - name: Deploy Virtual Smart Cards - href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md - - name: Evaluate Virtual Smart Card Security - href: virtual-smart-cards\virtual-smart-card-evaluate-security.md - - name: Tpmvscmgr - href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md - - name: Enterprise Certificate Pinning - href: enterprise-certificate-pinning.md - - name: Windows 10 credential theft mitigation guide abstract - href: windows-credential-theft-mitigation-guide-abstract.md - - name: Configure S/MIME for Windows 10 - href: configure-s-mime.md - - name: VPN technical guide - href: vpn\vpn-guide.md - items: - - name: VPN connection types - href: vpn\vpn-connection-type.md - - name: VPN routing decisions - href: vpn\vpn-routing.md - - name: VPN authentication options - href: vpn\vpn-authentication.md - - name: VPN and conditional access - href: vpn\vpn-conditional-access.md - - name: VPN name resolution - href: vpn\vpn-name-resolution.md - - name: VPN auto-triggered profile options - href: vpn\vpn-auto-trigger-profile.md - - name: VPN security features - href: vpn\vpn-security-features.md - - name: VPN profile options - href: vpn\vpn-profile-options.md - - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections - href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md - - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections - href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md - - name: Optimizing Office 365 traffic with the Windows 10 VPN client - href: vpn\vpn-office-365-optimization.md diff --git a/windows/security/identity-protection/change-history-for-access-protection.md b/windows/security/identity-protection/change-history-for-access-protection.md deleted file mode 100644 index 9cd9f0847d..0000000000 --- a/windows/security/identity-protection/change-history-for-access-protection.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: Change history for access protection (Windows 10) -description: This topic lists new and updated topics in the Windows 10 access protection documentation for Windows 10. -ms.prod: w10 -ms.mktglfcycl: deploy -ms.sitesec: library -ms.pagetype: security -audience: ITPro -author: dansimp -ms.author: dansimp -manager: dansimp -ms.collection: M365-identity-device-management -ms.topic: article -ms.localizationpriority: medium -ms.date: 08/11/2017 -ms.reviewer: ---- - -# Change history for access protection -This topic lists new and updated topics in the [Access protection](index.md) documentation. - -## August 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Microsoft accounts](access-control/microsoft-accounts.md) |Revised to cover new Group Policy setting in Windows 10, version 1703, named **Block all consumer Microsoft account user authentication**.| - -## June 2017 -|New or changed topic |Description | -|---------------------|------------| -|[How hardware-based containers help protect Windows 10](/windows/security/threat-protection/windows-defender-atp/how-hardware-based-containers-help-protect-windows) | New | - - -## March 2017 -|New or changed topic |Description | -|---------------------|------------| -|[Protect derived domain credentials with Credential Guard](credential-guard/credential-guard.md) |Updated to include additional security qualifications starting with Window 10, version 1703.| \ No newline at end of file diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md index 9423de2923..2f95950f32 100644 --- a/windows/security/identity-protection/configure-s-mime.md +++ b/windows/security/identity-protection/configure-s-mime.md @@ -1,5 +1,5 @@ --- -title: Configure S/MIME for Windows 10 +title: Configure S/MIME for Windows description: S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients with a digital ID, also known as a certificate, can read them. ms.assetid: 7F9C2A99-42EB-4BCC-BB53-41C04FBBBF05 ms.reviewer: @@ -19,16 +19,17 @@ ms.date: 07/27/2017 --- -# Configure S/MIME for Windows 10 +# Configure S/MIME for Windows **Applies to** -- Windows 10 +- Windows 10 +- Windows 11 -S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. In Windows 10, S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. +S/MIME stands for Secure/Multipurpose Internet Mail Extensions, and provides an added layer of security for email sent to and from an Exchange ActiveSync (EAS) account. S/MIME lets users encrypt outgoing messages and attachments so that only intended recipients who have a digital identification (ID), also known as a certificate, can read them. Users can digitally sign a message, which provides the recipients with a way to verify the identity of the sender and that the message hasn't been tampered with. ## About message encryption -Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows 10 Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. +Users can send encrypted message to people in their organization and people outside their organization if they have their encryption certificates. However, users using Windows Mail app can only read encrypted messages if the message is received on their Exchange account and they have corresponding decryption keys. Encrypted messages can be read only by recipients who have a certificate. If you try to send an encrypted message to recipient(s) whose encryption certificate are not available, the app will prompt you to remove these recipients before sending the email. @@ -48,7 +49,7 @@ A digitally signed message reassures the recipient that the message hasn't been On the device, perform the following steps: (add select certificate) -1. Open the Mail app. (In Windows 10 Mobile, the app is Outlook Mail.) +1. Open the Mail app. 2. Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone. diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md index 62a4cf6cf0..3a8d6e6ed0 100644 --- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md +++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md @@ -1,6 +1,6 @@ --- -title: Windows 10 Credential Theft Mitigation Guide Abstract (Windows 10) -description: Provides a summary of the Windows 10 credential theft mitigation guide. +title: Windows Credential Theft Mitigation Guide Abstract +description: Provides a summary of the Windows credential theft mitigation guide. ms.assetid: 821ddc1a-f401-4732-82a7-40d1fff5a78a ms.reviewer: ms.prod: w10 @@ -17,12 +17,12 @@ ms.localizationpriority: medium ms.date: 04/19/2017 --- -# Windows 10 Credential Theft Mitigation Guide Abstract +# Windows Credential Theft Mitigation Guide Abstract **Applies to** - Windows 10 -This topic provides a summary of the Windows 10 credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). +This topic provides a summary of the Windows credential theft mitigation guide, which can be downloaded from the [Microsoft Download Center](https://download.microsoft.com/download/C/1/4/C14579CA-E564-4743-8B51-61C0882662AC/Windows%2010%20credential%20theft%20mitigation%20guide.docx). This guide explains how credential theft attacks occur and the strategies and countermeasures you can implement to mitigate them, following these security stages: - Identify high-value assets diff --git a/windows/security/identity.md b/windows/security/identity.md new file mode 100644 index 0000000000..0cfa07beba --- /dev/null +++ b/windows/security/identity.md @@ -0,0 +1,27 @@ +--- +title: Windows identity and user security +description: Get an overview of identity security in Windows 11 and Windows 10 +ms.reviewer: +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows identity and user security + +Malicious actors launch millions of password attacks every day. Weak passwords, password spraying, and phishing are the entry point for many attacks. Knowing that the right user is accessing the right device and the right data is critical to keeping your business, family, and self, safe and secure. Windows Hello, Windows Hello for Business, and Credential Guard enable customers to move to passwordless multifactor authentication (MFA). MFA can reduce the risk of compromise in organizations. + +| Security capabilities | Description | +|:---|:---| +| Securing user identity with Windows Hello | Windows Hello and Windows Hello for Business replace password-based authentication with a stronger authentication model to sign into your device using a passcode (PIN) or other biometric based authentication. This PIN or biometric based authentication is only valid on the device that you registered it for and cannot be used on another deviceLearn more: [Windows Hello for Business](identity-protection\hello-for-business\hello-overview.md) | +| Windows Defender Credential Guard and Remote Credential Guard | Windows Defender Credential Guard helps protects your systems from credential theft attack techniques (pass-the-hash or pass-the-ticket) as well as helping prevent malware from accessing system secrets even if the process is running with admin privileges. Windows Defender Remote Credential Guard helps you protect your credentials over a Remote Desktop connection by redirecting Kerberos requests back to the device that's requesting the connection. It also provides single sign-on experiences for Remote Desktop sessions. Learn more: [Protect derived domain credentials with Windows Defender Credential Guard](identity-protection/credential-guard/credential-guard-how-it-works.md) and [Protect Remote Desktop credentials with Windows Defender Remote Credential Guard](identity-protection/remote-credential-guard.md)| +| FIDO Alliance | Fast Identity Online (FIDO) defined protocols are becoming the open standard for providing strong authentication that helps prevent phishing and are user-friendly and privacy-respecting. Windows 11 supports the use of device sign-in with FIDO 2 security keys, and with Microsoft Edge or other modern browsers, supports the use of secure FIDO-backed credentials to keep user accounts protected. Learn more about the [FIDO Alliance](https://fidoalliance.org/). | +| Microsoft Authenticator | The Microsoft Authenticator app is a perfect companion to help keep secure with Windows 11. It allows easy, secure sign-ins for all your online accounts using multi-factor authentication, passwordless phone sign-in, or password autofill. You also have additional account management options for your Microsoft personal, work, or school accounts. Microsoft Authenticator can be used to set up multi-factor authentication for your users. Learn more: [Enable passwordless sign-in with the Microsoft Authenticator app](/azure/active-directory/authentication/howto-authentication-passwordless-phone.md). | +| Smart Cards | Smart cards are tamper-resistant portable storage devices that can enhance the security of tasks in Windows, such as authenticating clients, signing code, securing e-mail, and signing in with Windows domain accounts. Learn more about [Smart Cards](identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md).| +| Access Control | Access control is the process of authorizing users, groups, and computers to access objects and assets on a network or computer. Computers can control the use of system and network resources through the interrelated mechanisms of authentication and authorization. Learn more: [Access Control](identity-protection/access-control/access-control.md).| \ No newline at end of file diff --git a/windows/security/images/windows-security-app-w11.png b/windows/security/images/windows-security-app-w11.png new file mode 100644 index 0000000000..e062b0d292 Binary files /dev/null and b/windows/security/images/windows-security-app-w11.png differ diff --git a/windows/security/index.yml b/windows/security/index.yml index 4a5558a16d..7a5576692b 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -1,38 +1,170 @@ -### YamlMime:Hub +### YamlMime:Landing -title: Windows 10 Enterprise Security # < 60 chars -summary: Secure corporate data and manage risk. # < 160 chars -# brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-bi | power-platform | sql | sql-server | vs | visual-studio | windows | xamarin -brand: windows +title: Windows security # < 60 chars +summary: Windows is a Zero Trust-ready operating system that provides security from chip to cloud. # < 160 chars metadata: - title: Windows 10 Enterprise Security # Required; page title displayed in search results. Include the brand. < 60 chars. - description: Learn about enterprise-grade security features for Windows 10. # Required; article description that is displayed in search results. < 160 chars. - services: windows + title: Windows security # Required; page title displayed in search results. Include the brand. < 60 chars. + description: Learn about Windows security # Required; article description that is displayed in search results. < 160 chars. + ms.topic: landing-page # Required ms.prod: windows - ms.topic: hub-page # Required - ms.collection: M365-security-compliance # Optional; Remove if no collection is used. + ms.collection: m365-security-compliance author: dansimp #Required; your GitHub user alias, with correct capitalization. ms.author: dansimp #Required; microsoft alias of author; optional team alias. - ms.date: 01/08/2018 #Required; mm/dd/yyyy format. - ms.localizationpriority: high + ms.date: 09/20/2021 + localization_priority: Priority + +# linkListType: architecture | concept | deploy | download | get-started | how-to-guide | learn | overview | quickstart | reference | tutorial | video | whats-new + +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Zero Trust and Windows + linkLists: + - linkListType: overview + links: + - text: Overview + url: zero-trust-windows-device-health.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Hardware security + linkLists: + - linkListType: overview + links: + - text: Overview + url: hardware.md + - linkListType: concept + links: + - text: Trusted Platform Module + url: information-protection/tpm/trusted-platform-module-top-node.md + - text: Windows Defender System Guard firmware protection + url: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md + - text: System Guard Secure Launch and SMM protection enablement + url: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md + - text: Virtualization-based protection of code integrity + url: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md + - text: Kernel DMA Protection + url: information-protection/kernel-dma-protection-for-thunderbolt.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Operating system security + linkLists: + - linkListType: overview + links: + - text: Overview + url: operating-system.md + - linkListType: concept + links: + - text: System security + url: trusted-boot.md + - text: Encryption and data protection + url: encryption-data-protection.md + - text: Windows security baselines + url: threat-protection/windows-security-configuration-framework/windows-security-baselines.md + - text: Virtual private network guide + url: identity-protection/vpn/vpn-guide.md + - text: Windows Defender Firewall + url: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md + - text: Virus & threat protection + url: threat-protection/index.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Application security + linkLists: + - linkListType: overview + links: + - text: Overview + url: apps.md + - linkListType: concept + links: + - text: Application Control and virtualization-based protection + url: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md + - text: Application Control + url: threat-protection/windows-defender-application-control/windows-defender-application-control.md + - text: Application Guard + url: threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md + - text: Windows Sandbox + url: threat-protection/windows-sandbox/windows-sandbox-overview.md + - text: Microsoft Defender SmartScreen + url: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md + - text: S/MIME for Windows + url: identity-protection/configure-s-mime.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: User security and secured identity + linkLists: + - linkListType: overview + links: + - text: Overview + url: identity.md + - linkListType: concept + links: + - text: Windows Hello for Business + url: identity-protection/hello-for-business/hello-overview.md + - text: Windows Credential Theft Mitigation + url: identity-protection/windows-credential-theft-mitigation-guide-abstract.md + - text: Protect domain credentials + url: identity-protection/credential-guard/credential-guard.md + - text: Windows Defender Credential Guard + url: identity-protection/credential-guard/credential-guard.md + - text: Lost or forgotten passwords + url: identity-protection/password-support-policy.md + - text: Access control + url: identity-protection/access-control/access-control.md + - text: Smart cards + url: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Cloud services + linkLists: + - linkListType: overview + links: + - text: Overview + url: cloud.md + - linkListType: concept + links: + - text: Mobile device management + url: https://docs.microsoft.com/windows/client-management/mdm/ + - text: Azure Active Directory + url: https://www.microsoft.com/security/business/identity-access-management/azure-active-directory + - text: Your Microsoft Account + url: identity-protection/access-control/microsoft-accounts.md + - text: OneDrive + url: https://docs.microsoft.com/onedrive/onedrive + - text: Family safety + url: threat-protection/windows-defender-security-center/wdsc-family-options.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Security foundations + linkLists: + - linkListType: overview + links: + - text: Overview + url: security-foundations.md + - linkListType: reference + links: + - text: Microsoft Security Development Lifecycle + url: threat-protection/msft-security-dev-lifecycle.md + - text: Microsoft Bug Bounty + url: threat-protection/microsoft-bug-bounty-program.md + - text: Common Criteria Certifications + url: threat-protection/windows-platform-common-criteria.md + - text: Federal Information Processing Standard (FIPS) 140 Validation + url: threat-protection/fips-140-validation.md +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card (optional) + - title: Privacy controls + linkLists: + - linkListType: reference + links: + - text: Windows and Privacy Compliance + url: /windows/privacy/windows-10-and-privacy-compliance -# productDirectory section (optional) -productDirectory: - items: - # Card - - title: Identity and access management - # imageSrc should be square in ratio with no whitespace - imageSrc: https://docs.microsoft.com/media/common/i_identity-protection.svg - summary: Deploy secure enterprise-grade authentication and access control to protect accounts and data - url: ./identity-protection/index.md - # Card - - title: Threat protection - imageSrc: https://docs.microsoft.com/media/common/i_threat-protection.svg - summary: Stop cyberthreats and quickly identify and respond to breaches - url: ./threat-protection/index.md - # Card - - title: Information protection - imageSrc: https://docs.microsoft.com/media/common/i_information-protection.svg - summary: Identify and secure critical data to prevent data loss - url: ./information-protection/index.md \ No newline at end of file diff --git a/windows/security/information-protection/TOC.yml b/windows/security/information-protection/TOC.yml deleted file mode 100644 index bcaa9d74d7..0000000000 --- a/windows/security/information-protection/TOC.yml +++ /dev/null @@ -1,149 +0,0 @@ -- name: Information protection - href: index.md - items: - - name: BitLocker - href: bitlocker\bitlocker-overview.md - items: - - name: Overview of BitLocker Device Encryption in Windows 10 - href: bitlocker\bitlocker-device-encryption-overview-windows-10.md - - name: BitLocker frequently asked questions (FAQ) - href: bitlocker\bitlocker-frequently-asked-questions.yml - items: - - name: Overview and requirements - href: bitlocker\bitlocker-overview-and-requirements-faq.yml - - name: Upgrading - href: bitlocker\bitlocker-upgrading-faq.yml - - name: Deployment and administration - href: bitlocker\bitlocker-deployment-and-administration-faq.yml - - name: Key management - href: bitlocker\bitlocker-key-management-faq.yml - - name: BitLocker To Go - href: bitlocker\bitlocker-to-go-faq.yml - - name: Active Directory Domain Services - href: bitlocker\bitlocker-and-adds-faq.yml - - name: Security - href: bitlocker\bitlocker-security-faq.yml - - name: BitLocker Network Unlock - href: bitlocker\bitlocker-network-unlock-faq.yml - - name: General - href: bitlocker\bitlocker-using-with-other-programs-faq.yml - - name: "Prepare your organization for BitLocker: Planning and policies" - href: bitlocker\prepare-your-organization-for-bitlocker-planning-and-policies.md - - name: BitLocker deployment comparison - href: bitlocker\bitlocker-deployment-comparison.md - - name: BitLocker basic deployment - href: bitlocker\bitlocker-basic-deployment.md - - name: "BitLocker: How to deploy on Windows Server 2012 and later" - href: bitlocker\bitlocker-how-to-deploy-on-windows-server.md - - name: "BitLocker: Management for enterprises" - href: bitlocker\bitlocker-management-for-enterprises.md - - name: "BitLocker: How to enable Network Unlock" - href: bitlocker\bitlocker-how-to-enable-network-unlock.md - - name: "BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker" - href: bitlocker\bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md - - name: "BitLocker: Use BitLocker Recovery Password Viewer" - href: bitlocker\bitlocker-use-bitlocker-recovery-password-viewer.md - - name: BitLocker Group Policy settings - href: bitlocker\bitlocker-group-policy-settings.md - - name: BCD settings and BitLocker - href: bitlocker\bcd-settings-and-bitlocker.md - - name: BitLocker Recovery Guide - href: bitlocker\bitlocker-recovery-guide-plan.md - - name: BitLocker Countermeasures - href: bitlocker\bitlocker-countermeasures.md - - name: Protecting cluster shared volumes and storage area networks with BitLocker - href: bitlocker\protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md - - name: Troubleshoot BitLocker - items: - - name: Troubleshoot BitLocker - href: bitlocker\troubleshoot-bitlocker.md - - name: "BitLocker cannot encrypt a drive: known issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-issues.md - - name: "Enforcing BitLocker policies by using Intune: known issues" - href: bitlocker\ts-bitlocker-intune-issues.md - - name: "BitLocker Network Unlock: known issues" - href: bitlocker\ts-bitlocker-network-unlock-issues.md - - name: "BitLocker recovery: known issues" - href: bitlocker\ts-bitlocker-recovery-issues.md - - name: "BitLocker configuration: known issues" - href: bitlocker\ts-bitlocker-config-issues.md - - name: Troubleshoot BitLocker and TPM issues - items: - - name: "BitLocker cannot encrypt a drive: known TPM issues" - href: bitlocker\ts-bitlocker-cannot-encrypt-tpm-issues.md - - name: "BitLocker and TPM: other known issues" - href: bitlocker\ts-bitlocker-tpm-issues.md - - name: Decode Measured Boot logs to track PCR changes - href: bitlocker\ts-bitlocker-decode-measured-boot-logs.md - - name: Encrypted Hard Drive - href: encrypted-hard-drive.md - - name: Kernel DMA Protection - href: kernel-dma-protection-for-thunderbolt.md - - name: Protect your enterprise data using Windows Information Protection (WIP) - href: windows-information-protection\protect-enterprise-data-using-wip.md - items: - - name: Create a WIP policy using Microsoft Intune - href: windows-information-protection\overview-create-wip-policy.md - items: - - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune - href: windows-information-protection\create-wip-policy-using-intune-azure.md - items: - - name: Deploy your WIP policy using the Azure portal for Microsoft Intune - href: windows-information-protection\deploy-wip-policy-using-intune-azure.md - - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune - href: windows-information-protection\create-vpn-and-wip-policy-using-intune-azure.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Create a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\overview-create-wip-policy-configmgr.md - items: - - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager - href: windows-information-protection\create-wip-policy-using-configmgr.md - - name: Create and verify an EFS Data Recovery Agent (DRA) certificate - href: windows-information-protection\create-and-verify-an-efs-dra-certificate.md - - name: Determine the Enterprise Context of an app running in WIP - href: windows-information-protection\wip-app-enterprise-context.md - - name: Mandatory tasks and settings required to turn on WIP - href: windows-information-protection\mandatory-settings-for-wip.md - - name: Testing scenarios for WIP - href: windows-information-protection\testing-scenarios-for-wip.md - - name: Limitations while using WIP - href: windows-information-protection\limitations-with-wip.md - - name: How to collect WIP audit event logs - href: windows-information-protection\collect-wip-audit-event-logs.md - - name: General guidance and best practices for WIP - href: windows-information-protection\guidance-and-best-practices-wip.md - items: - - name: Enlightened apps for use with WIP - href: windows-information-protection\enlightened-microsoft-apps-and-wip.md - - name: Unenlightened and enlightened app behavior while using WIP - href: windows-information-protection\app-behavior-with-wip.md - - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP - href: windows-information-protection\recommended-network-definitions-for-wip.md - - name: Using Outlook Web Access with WIP - href: windows-information-protection\using-owa-with-wip.md - - name: Fine-tune WIP Learning - href: windows-information-protection\wip-learning.md - - name: Secure the Windows 10 boot process - href: secure-the-windows-10-boot-process.md - - name: Trusted Platform Module - href: tpm/trusted-platform-module-top-node.md - items: - - name: Trusted Platform Module Overview - href: tpm/trusted-platform-module-overview.md - - name: TPM fundamentals - href: tpm/tpm-fundamentals.md - - name: How Windows 10 uses the TPM - href: tpm/how-windows-uses-the-tpm.md - - name: TPM Group Policy settings - href: tpm/trusted-platform-module-services-group-policy-settings.md - - name: Back up the TPM recovery information to AD DS - href: tpm/backup-tpm-recovery-information-to-ad-ds.md - - name: View status, clear, or troubleshoot the TPM - href: tpm/initialize-and-configure-ownership-of-the-tpm.md - - name: Understanding PCR banks on TPM 2.0 devices - href: tpm/switch-pcr-banks-on-tpm-2-0-devices.md - - name: TPM recommendations - href: tpm/tpm-recommendations.md diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md index 45659d1cac..a13435b388 100644 --- a/windows/security/information-protection/secure-the-windows-10-boot-process.md +++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md @@ -1,7 +1,7 @@ --- -title: Secure the Windows 10 boot process -description: This article describes how Windows 10 security features helps protect your PC from malware, including rootkits and other applications -keywords: trusted boot, windows 10 boot process +title: Secure the Windows boot process +description: This article describes how Windows security features helps protect your PC from malware, including rootkits and other applications +keywords: trusted boot, windows boot process ms.prod: w10 ms.mktglfcycl: Explore ms.pagetype: security @@ -12,12 +12,12 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 11/16/2018 +ms.date: ms.reviewer: ms.author: dansimp --- -# Secure the Windows 10 boot process +# Secure the Windows boot process **Applies to:** - Windows 11 @@ -27,11 +27,11 @@ ms.author: dansimp The Windows operating system has many features to help protect you from malware, and it does an amazingly good job. Except for apps that businesses develop and use internally, all Microsoft Store apps must meet a series of requirements to be certified and included in the Microsoft Store. This certification process examines several criteria, including security, and is an effective means of preventing malware from entering the Microsoft Store. Even if a malicious app does get through, the Windows 10 operating system includes a series of security features that can mitigate the impact. For instance, Microsoft Store apps are sandboxed and lack the privileges necessary to access user data or change system settings. -Windows has multiple levels of protection for desktop apps and data, too. Windows Defender uses signatures to detect and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. +Windows has multiple levels of protection for desktop apps and data, too. Windows Defender Antivirus uses cloud-powered real-time detection to identify and quarantine apps that are known to be malicious. Windows Defender SmartScreen warns users before allowing them to run an untrustworthy app, even if it’s recognized as malware. Before an app can change system settings, the user would have to grant the app administrative privileges by using User Account Control. Those are just some of the ways that Windows protects you from malware. However, those security features protect you only after Windows starts. Modern malware—and bootkits specifically—are capable of starting before Windows, completely bypassing operating system security, and remaining completely hidden. -When you run Windows 10 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. +When you run Windows 10 or Windows 11 on a PC or any PC that supports Unified Extensible Firmware Interface (UEFI), Trusted Boot protects your PC from malware from the moment you power on your PC until your anti-malware starts. In the unlikely event that malware does infect a PC, it can’t remain hidden; Trusted Boot can prove the system’s integrity to your infrastructure in a way that malware can’t disguise. Even on PCs without UEFI, Windows provides even better startup security than previous versions of Windows. First, let’s examine what rootkits are and how they work. Then, we’ll show you how Windows can protect you. @@ -61,7 +61,7 @@ Figure 1 shows the Windows startup process. **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage** -Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. +Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM chip. Fortunately, all Windows 10 and Windows 11 PCs that meet Windows Hardware Compatibility Program requirements have these components, and many PCs designed for earlier versions of Windows have them as well. The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot. @@ -131,4 +131,4 @@ Measured Boot uses the power of UEFI, TPM, and Windows to give you a way to conf Secure Boot, Trusted Boot, and Measured Boot create an architecture that is fundamentally resistant to bootkits and rootkits. In Windows, these features have the potential to eliminate kernel-level malware from your network. This is the most ground-breaking anti-malware solution that Windows has ever had; it’s leaps and bounds ahead of everything else. With Windows, you can truly trust the integrity of your operating system. ## Additional resources -- [Windows 10 Enterprise LTSC 2019 or v2004 Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) +- [Windows Enterprise Evaluation](https://www.microsoft.com/evalcenter/evaluate-windows-10-enterprise) diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md new file mode 100644 index 0000000000..66115fef04 --- /dev/null +++ b/windows/security/operating-system.md @@ -0,0 +1,42 @@ +--- +title: Windows operating system security +description: Securing the operating system includes system security, encryption, network security, and threat protection. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +ms.date: 09/21/2021 +--- + +# Windows operating system security + +Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats. + +Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.

+ +| Security Measures | Features & Capabilities | +|:---|:---| +| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.

Learn more [Secure Boot and Trusted Boot](trusted-boot.md). | +Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.

Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).

| +Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.

Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).| +| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.

Learn more about [Encryption](encryption-data-protection.md). +| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.

Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). | +| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.

Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).

| +| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.

Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.

Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). | +| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.

Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).

| +| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.

Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).

+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.

From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).

Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.

Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).| +| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.

Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) | +| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.

With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates

Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). | +| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.

In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.

Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). | +| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.

Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). | +| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.

You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.

Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). | +| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.

Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.

Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). | + diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md new file mode 100644 index 0000000000..7ec5414862 --- /dev/null +++ b/windows/security/security-foundations.md @@ -0,0 +1,33 @@ +--- +title: Windows security foundations +description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program. +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: deniseb +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: denisebmsft +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Windows security foundations + +Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment. + +Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified. + +Use the links in the following table to learn more about the security foundations:

+ +| Concept | Description | +|:---|:---| +| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.

Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). | +| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.

Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). | +| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.

Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).| +| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.

Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). | + + + diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml deleted file mode 100644 index ae12fde723..0000000000 --- a/windows/security/threat-protection/TOC.yml +++ /dev/null @@ -1,1410 +0,0 @@ -- name: Threat protection - href: index.md - items: - - name: Next-generation protection with Microsoft Defender Antivirus - items: - - name: Microsoft Defender Antivirus overview - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10 - - name: Evaluate Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus - - name: Configure Microsoft Defender Antivirus - items: - - name: Configure Microsoft Defender Antivirus features - href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features - - name: Use Microsoft cloud-delivered protection - href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus - items: - - name: Prevent security settings changes with tamper protection - href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection - - name: Enable Block at first sight - href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus - - name: Configure the cloud block timeout period - href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus - - name: Configure behavioral, heuristic, and real-time protection - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus - - name: Detect and block Potentially Unwanted Applications - href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus - - name: Enable and configure always-on protection and monitoring - href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus - - name: Antivirus on Windows Server - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server - - name: Antivirus compatibility - items: - - name: Compatibility charts - href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility - - name: Use limited periodic antivirus scanning - href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus - - name: Manage Microsoft Defender Antivirus in your business - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus - - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus - - name: Use Group Policy settings to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus - - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus - - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus - - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus - - name: Deploy, manage updates, and report on Microsoft Defender Antivirus - items: - - name: Preparing to deploy - href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus - - name: Deploy and enable Microsoft Defender Antivirus - href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus - - name: Deployment guide for VDI environments - href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus - - name: Report on antivirus protection - - name: Review protection status and alerts - href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus - - name: Troubleshoot antivirus reporting in Update Compliance - href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting - - name: Learn about the recent updates - href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus - - name: Manage protection and security intelligence updates - href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus - - name: Manage when protection updates should be downloaded and applied - href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus - - name: Manage updates for endpoints that are out of date - href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus - - name: Manage event-based forced updates - href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus - - name: Manage updates for mobile devices and VMs - href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus - - name: Customize, initiate, and review the results of scans and remediation - items: - - name: Configuration overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Common mistakes when defining exclusions - href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus - - name: Configure scanning antivirus options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Manage scans and remediation - items: - - name: Management overview - href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus - - name: Configure and validate exclusions in antivirus scans - - name: Exclusions overview - href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions based on file name, extension, and folder location - href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus - - name: Configure and validate exclusions for files opened by processes - href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus - - name: Configure antivirus exclusions on Windows Server - href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus - - name: Configure scanning options - href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus - - name: Configure remediation for scans - href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus - items: - - name: Configure scheduled scans - href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus - - name: Configure and run scans - href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus - - name: Review scan results - href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus - - name: Run and review the results of an offline scan - href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline - - name: Restore quarantined files - href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus - items: - - name: Troubleshoot Microsoft Defender Antivirus issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus - - name: Troubleshoot Microsoft Defender Antivirus migration issues - href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating - - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint" - href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus - - name: "Better together: Microsoft Defender Antivirus and Office 365" - href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus - - name: Hardware-based isolation - items: - - name: Hardware-based isolation evaluation - href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md - - name: Application isolation - items: - - name: Application guard overview - href: microsoft-defender-application-guard/md-app-guard-overview.md - - name: System requirements - href: microsoft-defender-application-guard/reqs-md-app-guard.md - - name: Install Microsoft Defender Application Guard - href: microsoft-defender-application-guard/install-md-app-guard.md - - name: Install Microsoft Defender Application Guard Extension - href: microsoft-defender-application-guard/md-app-guard-browser-extension.md - - name: Application control - href: windows-defender-application-control/windows-defender-application-control.md - items: - - name: Audit Application control policies - href: windows-defender-application-control/audit-windows-defender-application-control-policies.md - - name: System isolation - href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md - - name: System integrity - href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md - - name: Code integrity - href: device-guard/enable-virtualization-based-protection-of-code-integrity.md - - name: Network firewall - items: - - name: Network firewall overview - href: windows-firewall/windows-firewall-with-advanced-security.md - - name: Network firewall evaluation - href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md - - name: Security intelligence - href: intelligence/index.md - items: - - name: Understand malware & other threats - href: intelligence/understanding-malware.md - items: - - name: Prevent malware infection - href: intelligence/prevent-malware-infection.md - - name: Malware names - href: intelligence/malware-naming.md - - name: Coin miners - href: intelligence/coinminer-malware.md - - name: Exploits and exploit kits - href: intelligence/exploits-malware.md - - name: Fileless threats - href: intelligence/fileless-threats.md - - name: Macro malware - href: intelligence/macro-malware.md - - name: Phishing - href: intelligence/phishing.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: intelligence/rootkits-malware.md - - name: Supply chain attacks - href: intelligence/supply-chain-malware.md - - name: Tech support scams - href: intelligence/support-scams.md - - name: Trojans - href: intelligence/trojans-malware.md - - name: Unwanted software - href: intelligence/unwanted-software.md - - name: Worms - href: intelligence/worms-malware.md - - name: How Microsoft identifies malware and PUA - href: intelligence/criteria.md - - name: Submit files for analysis - href: intelligence/submission-guide.md - - name: Safety Scanner download - href: intelligence/safety-scanner-download.md - - name: Industry collaboration programs - href: intelligence/cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: intelligence/virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: intelligence/virus-initiative-criteria.md - - name: Coordinated malware eradication - href: intelligence/coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: intelligence/developer-faq.yml - - name: Software developer resources - href: intelligence/developer-resources.md - - name: The Windows Security app - href: windows-defender-security-center/windows-defender-security-center.md - items: - - name: Customize the Windows Security app for your organization - href: windows-defender-security-center/wdsc-customize-contact-information.md - - name: Hide Windows Security app notifications - href: windows-defender-security-center/wdsc-hide-notifications.md - - name: Manage Windows Security app in Windows 10 in S mode - href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md - - name: Virus and threat protection - href: windows-defender-security-center/wdsc-virus-threat-protection.md - - name: Account protection - href: windows-defender-security-center/wdsc-account-protection.md - - name: Firewall and network protection - href: windows-defender-security-center/wdsc-firewall-network-protection.md - - name: App and browser control - href: windows-defender-security-center/wdsc-app-browser-control.md - - name: Device security - href: windows-defender-security-center/wdsc-device-security.md - - name: Device performance and health - href: windows-defender-security-center/wdsc-device-performance-health.md - items: - - name: Family options - href: windows-defender-security-center/wdsc-family-options.md - - name: Microsoft Defender SmartScreen - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md - items: - - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md - - name: Set up and use Microsoft Defender SmartScreen on individual devices - href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md - - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md - items: - - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md - - name: "Windows Defender Application Control and virtualization-based protection of code integrity" - href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md - - name: Windows Certifications - items: - - name: FIPS 140 Validations - href: fips-140-validation.md - - name: Common Criteria Certifications - href: windows-platform-common-criteria.md - - name: More Windows 10 security - items: - - name: Control the health of Windows 10-based devices - href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md - - name: Mitigate threats by using Windows 10 security features - href: overview-of-threat-mitigations-in-windows-10.md - - name: Override Process Mitigation Options to help enforce app-related security policies - href: override-mitigation-options-for-app-related-security-policies.md - - name: Use Windows Event Forwarding to help with intrusion detection - href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md - - name: Block untrusted fonts in an enterprise - href: block-untrusted-fonts-in-enterprise.md - - name: Security auditing - href: auditing/security-auditing-overview.md - items: - - name: Basic security audit policies - href: auditing/basic-security-audit-policies.md - items: - - name: Create a basic audit policy for an event category - href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md - - name: Apply a basic audit policy on a file or folder - href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md - - name: View the security event log - href: auditing/view-the-security-event-log.md - - name: Basic security audit policy settings - href: auditing/basic-security-audit-policy-settings.md - items: - - name: Audit account logon events - href: auditing/basic-audit-account-logon-events.md - - name: Audit account management - href: auditing/basic-audit-account-management.md - - name: Audit directory service access - href: auditing/basic-audit-directory-service-access.md - - name: Audit logon events - href: auditing/basic-audit-logon-events.md - - name: Audit object access - href: auditing/basic-audit-object-access.md - - name: Audit policy change - href: auditing/basic-audit-policy-change.md - - name: Audit privilege use - href: auditing/basic-audit-privilege-use.md - - name: Audit process tracking - href: auditing/basic-audit-process-tracking.md - - name: Audit system events - href: auditing/basic-audit-system-events.md - - name: Advanced security audit policies - href: auditing/advanced-security-auditing.md - items: - - name: Planning and deploying advanced security audit policies - href: auditing/planning-and-deploying-advanced-security-audit-policies.md - - name: Advanced security auditing FAQ - href: auditing/advanced-security-auditing-faq.yml - items: - - name: Which editions of Windows support advanced audit policy configuration - href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md - - name: How to list XML elements in \ - href: auditing/how-to-list-xml-elements-in-eventdata.md - - name: Using advanced security auditing options to monitor dynamic access control objects - href: auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md - items: - - name: Monitor the central access policies that apply on a file server - href: auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md - - name: Monitor the use of removable storage devices - href: auditing/monitor-the-use-of-removable-storage-devices.md - - name: Monitor resource attribute definitions - href: auditing/monitor-resource-attribute-definitions.md - - name: Monitor central access policy and rule definitions - href: auditing/monitor-central-access-policy-and-rule-definitions.md - - name: Monitor user and device claims during sign-in - href: auditing/monitor-user-and-device-claims-during-sign-in.md - - name: Monitor the resource attributes on files and folders - href: auditing/monitor-the-resource-attributes-on-files-and-folders.md - - name: Monitor the central access policies associated with files and folders - href: auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md - - name: Monitor claim types - href: auditing/monitor-claim-types.md - - name: Advanced security audit policy settings - href: auditing/advanced-security-audit-policy-settings.md - items: - - name: Audit Credential Validation - href: auditing/audit-credential-validation.md - - name: "Event 4774 S, F: An account was mapped for logon." - href: auditing/event-4774.md - - name: "Event 4775 F: An account could not be mapped for logon." - href: auditing/event-4775.md - - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." - href: auditing/event-4776.md - - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." - href: auditing/event-4777.md - - name: Audit Kerberos Authentication Service - href: auditing/audit-kerberos-authentication-service.md - items: - - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." - href: auditing/event-4768.md - - name: "Event 4771 F: Kerberos pre-authentication failed." - href: auditing/event-4771.md - - name: "Event 4772 F: A Kerberos authentication ticket request failed." - href: auditing/event-4772.md - - name: Audit Kerberos Service Ticket Operations - href: auditing/audit-kerberos-service-ticket-operations.md - items: - - name: "Event 4769 S, F: A Kerberos service ticket was requested." - href: auditing/event-4769.md - - name: "Event 4770 S: A Kerberos service ticket was renewed." - href: auditing/event-4770.md - - name: "Event 4773 F: A Kerberos service ticket request failed." - href: auditing/event-4773.md - - name: Audit Other Account Logon Events - href: auditing/audit-other-account-logon-events.md - - name: Audit Application Group Management - href: auditing/audit-application-group-management.md - - name: Audit Computer Account Management - href: auditing/audit-computer-account-management.md - items: - - name: "Event 4741 S: A computer account was created." - href: auditing/event-4741.md - - name: "Event 4742 S: A computer account was changed." - href: auditing/event-4742.md - - name: "Event 4743 S: A computer account was deleted." - href: auditing/event-4743.md - - name: Audit Distribution Group Management - href: auditing/audit-distribution-group-management.md - items: - - name: "Event 4749 S: A security-disabled global group was created." - href: auditing/event-4749.md - - name: "Event 4750 S: A security-disabled global group was changed." - href: auditing/event-4750.md - - name: "Event 4751 S: A member was added to a security-disabled global group." - href: auditing/event-4751.md - - name: "Event 4752 S: A member was removed from a security-disabled global group." - href: auditing/event-4752.md - - name: "Event 4753 S: A security-disabled global group was deleted." - href: auditing/event-4753.md - - name: Audit Other Account Management Events - href: auditing/audit-other-account-management-events.md - items: - - name: "Event 4782 S: The password hash of an account was accessed." - href: auditing/event-4782.md - - name: "Event 4793 S: The Password Policy Checking API was called." - href: auditing/event-4793.md - - name: Audit Security Group Management - href: auditing/audit-security-group-management.md - items: - - name: "Event 4731 S: A security-enabled local group was created." - href: auditing/event-4731.md - - name: "Event 4732 S: A member was added to a security-enabled local group." - href: auditing/event-4732.md - - name: "Event 4733 S: A member was removed from a security-enabled local group." - href: auditing/event-4733.md - - name: "Event 4734 S: A security-enabled local group was deleted." - href: auditing/event-4734.md - - name: "Event 4735 S: A security-enabled local group was changed." - href: auditing/event-4735.md - - name: "Event 4764 S: A group�s type was changed." - href: auditing/event-4764.md - - name: "Event 4799 S: A security-enabled local group membership was enumerated." - href: auditing/event-4799.md - - name: Audit User Account Management - href: auditing/audit-user-account-management.md - items: - - name: "Event 4720 S: A user account was created." - href: auditing/event-4720.md - - name: "Event 4722 S: A user account was enabled." - href: auditing/event-4722.md - - name: "Event 4723 S, F: An attempt was made to change an account's password." - href: auditing/event-4723.md - - name: "Event 4724 S, F: An attempt was made to reset an account's password." - href: auditing/event-4724.md - - name: "Event 4725 S: A user account was disabled." - href: auditing/event-4725.md - - name: "Event 4726 S: A user account was deleted." - href: auditing/event-4726.md - - name: "Event 4738 S: A user account was changed." - href: auditing/event-4738.md - - name: "Event 4740 S: A user account was locked out." - href: auditing/event-4740.md - - name: "Event 4765 S: SID History was added to an account." - href: auditing/event-4765.md - - name: "Event 4766 F: An attempt to add SID History to an account failed." - href: auditing/event-4766.md - - name: "Event 4767 S: A user account was unlocked." - href: auditing/event-4767.md - - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." - href: auditing/event-4780.md - - name: "Event 4781 S: The name of an account was changed." - href: auditing/event-4781.md - - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." - href: auditing/event-4794.md - - name: "Event 4798 S: A user's local group membership was enumerated." - href: auditing/event-4798.md - - name: "Event 5376 S: Credential Manager credentials were backed up." - href: auditing/event-5376.md - - name: "Event 5377 S: Credential Manager credentials were restored from a backup." - href: auditing/event-5377.md - - name: Audit DPAPI Activity - href: auditing/audit-dpapi-activity.md - items: - - name: "Event 4692 S, F: Backup of data protection master key was attempted." - href: auditing/event-4692.md - - name: "Event 4693 S, F: Recovery of data protection master key was attempted." - href: auditing/event-4693.md - - name: "Event 4694 S, F: Protection of auditable protected data was attempted." - href: auditing/event-4694.md - - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." - href: auditing/event-4695.md - - name: Audit PNP Activity - href: auditing/audit-pnp-activity.md - items: - - name: "Event 6416 S: A new external device was recognized by the System." - href: auditing/event-6416.md - - name: "Event 6419 S: A request was made to disable a device." - href: auditing/event-6419.md - - name: "Event 6420 S: A device was disabled." - href: auditing/event-6420.md - - name: "Event 6421 S: A request was made to enable a device." - href: auditing/event-6421.md - - name: "Event 6422 S: A device was enabled." - href: auditing/event-6422.md - - name: "Event 6423 S: The installation of this device is forbidden by system policy." - href: auditing/event-6423.md - - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." - href: auditing/event-6424.md - - name: Audit Process Creation - href: auditing/audit-process-creation.md - items: - - name: "Event 4688 S: A new process has been created." - href: auditing/event-4688.md - - name: "Event 4696 S: A primary token was assigned to process." - href: auditing/event-4696.md - - name: Audit Process Termination - href: auditing/audit-process-termination.md - items: - - name: "Event 4689 S: A process has exited." - href: auditing/event-4689.md - - name: Audit RPC Events - href: auditing/audit-rpc-events.md - items: - - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." - href: auditing/event-5712.md - - name: Audit Token Right Adjusted - href: auditing/audit-token-right-adjusted.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: Audit Detailed Directory Service Replication - href: auditing/audit-detailed-directory-service-replication.md - items: - - name: "Event 4928 S, F: An Active Directory replica source naming context was established." - href: auditing/event-4928.md - - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." - href: auditing/event-4929.md - - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." - href: auditing/event-4930.md - - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." - href: auditing/event-4931.md - - name: "Event 4934 S: Attributes of an Active Directory object were replicated." - href: auditing/event-4934.md - - name: "Event 4935 F: Replication failure begins." - href: auditing/event-4935.md - - name: "Event 4936 S: Replication failure ends." - href: auditing/event-4936.md - - name: "Event 4937 S: A lingering object was removed from a replica." - href: auditing/event-4937.md - - name: Audit Directory Service Access - href: auditing/audit-directory-service-access.md - items: - - name: "Event 4662 S, F: An operation was performed on an object." - href: auditing/event-4662.md - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Directory Service Changes - href: auditing/audit-directory-service-changes.md - items: - - name: "Event 5136 S: A directory service object was modified." - href: auditing/event-5136.md - - name: "Event 5137 S: A directory service object was created." - href: auditing/event-5137.md - - name: "Event 5138 S: A directory service object was undeleted." - href: auditing/event-5138.md - - name: "Event 5139 S: A directory service object was moved." - href: auditing/event-5139.md - - name: "Event 5141 S: A directory service object was deleted." - href: auditing/event-5141.md - - name: Audit Directory Service Replication - href: auditing/audit-directory-service-replication.md - items: - - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." - href: auditing/event-4932.md - - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." - href: auditing/event-4933.md - - name: Audit Account Lockout - href: auditing/audit-account-lockout.md - items: - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: Audit User/Device Claims - href: auditing/audit-user-device-claims.md - items: - - name: "Event 4626 S: User/Device claims information." - href: auditing/event-4626.md - - name: Audit Group Membership - href: auditing/audit-group-membership.md - items: - - name: "Event 4627 S: Group membership information." - href: auditing/event-4627.md - - name: Audit IPsec Extended Mode - href: auditing/audit-ipsec-extended-mode.md - - name: Audit IPsec Main Mode - href: auditing/audit-ipsec-main-mode.md - - name: Audit IPsec Quick Mode - href: auditing/audit-ipsec-quick-mode.md - - name: Audit Logoff - href: auditing/audit-logoff.md - items: - - name: "Event 4634 S: An account was logged off." - href: auditing/event-4634.md - - name: "Event 4647 S: User initiated logoff." - href: auditing/event-4647.md - - name: Audit Logon - href: auditing/audit-logon.md - items: - - name: "Event 4624 S: An account was successfully logged on." - href: auditing/event-4624.md - - name: "Event 4625 F: An account failed to log on." - href: auditing/event-4625.md - - name: "Event 4648 S: A logon was attempted using explicit credentials." - href: auditing/event-4648.md - - name: "Event 4675 S: SIDs were filtered." - href: auditing/event-4675.md - - name: Audit Network Policy Server - href: auditing/audit-network-policy-server.md - - name: Audit Other Logon/Logoff Events - href: auditing/audit-other-logonlogoff-events.md - items: - - name: "Event 4649 S: A replay attack was detected." - href: auditing/event-4649.md - - name: "Event 4778 S: A session was reconnected to a Window Station." - href: auditing/event-4778.md - - name: "Event 4779 S: A session was disconnected from a Window Station." - href: auditing/event-4779.md - - name: "Event 4800 S: The workstation was locked." - href: auditing/event-4800.md - - name: "Event 4801 S: The workstation was unlocked." - href: auditing/event-4801.md - - name: "Event 4802 S: The screen saver was invoked." - href: auditing/event-4802.md - - name: "Event 4803 S: The screen saver was dismissed." - href: auditing/event-4803.md - - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." - href: auditing/event-5378.md - - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." - href: auditing/event-5632.md - - name: "Event 5633 S, F: A request was made to authenticate to a wired network." - href: auditing/event-5633.md - - name: Audit Special Logon - href: auditing/audit-special-logon.md - items: - - name: "Event 4964 S: Special groups have been assigned to a new logon." - href: auditing/event-4964.md - - name: "Event 4672 S: Special privileges assigned to new logon." - href: auditing/event-4672.md - - name: Audit Application Generated - href: auditing/audit-application-generated.md - - name: Audit Certification Services - href: auditing/audit-certification-services.md - - name: Audit Detailed File Share - href: auditing/audit-detailed-file-share.md - items: - - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." - href: auditing/event-5145.md - - name: Audit File Share - href: auditing/audit-file-share.md - items: - - name: "Event 5140 S, F: A network share object was accessed." - href: auditing/event-5140.md - - name: "Event 5142 S: A network share object was added." - href: auditing/event-5142.md - - name: "Event 5143 S: A network share object was modified." - href: auditing/event-5143.md - - name: "Event 5144 S: A network share object was deleted." - href: auditing/event-5144.md - - name: "Event 5168 F: SPN check for SMB/SMB2 failed." - href: auditing/event-5168.md - - name: Audit File System - href: auditing/audit-file-system.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4664 S: An attempt was made to create a hard link." - href: auditing/event-4664.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: "Event 5051: A file was virtualized." - href: auditing/event-5051.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Filtering Platform Connection - href: auditing/audit-filtering-platform-connection.md - items: - - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." - href: auditing/event-5031.md - - name: "Event 5150: The Windows Filtering Platform blocked a packet." - href: auditing/event-5150.md - - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5151.md - - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." - href: auditing/event-5154.md - - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." - href: auditing/event-5155.md - - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." - href: auditing/event-5156.md - - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." - href: auditing/event-5157.md - - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." - href: auditing/event-5158.md - - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." - href: auditing/event-5159.md - - name: Audit Filtering Platform Packet Drop - href: auditing/audit-filtering-platform-packet-drop.md - items: - - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." - href: auditing/event-5152.md - - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." - href: auditing/event-5153.md - - name: Audit Handle Manipulation - href: auditing/audit-handle-manipulation.md - items: - - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." - href: auditing/event-4690.md - - name: Audit Kernel Object - href: auditing/audit-kernel-object.md - items: - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: Audit Other Object Access Events - href: auditing/audit-other-object-access-events.md - items: - - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." - href: auditing/event-4671.md - - name: "Event 4691 S: Indirect access to an object was requested." - href: auditing/event-4691.md - - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." - href: auditing/event-5148.md - - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." - href: auditing/event-5149.md - - name: "Event 4698 S: A scheduled task was created." - href: auditing/event-4698.md - - name: "Event 4699 S: A scheduled task was deleted." - href: auditing/event-4699.md - - name: "Event 4700 S: A scheduled task was enabled." - href: auditing/event-4700.md - - name: "Event 4701 S: A scheduled task was disabled." - href: auditing/event-4701.md - - name: "Event 4702 S: A scheduled task was updated." - href: auditing/event-4702.md - - name: "Event 5888 S: An object in the COM+ Catalog was modified." - href: auditing/event-5888.md - - name: "Event 5889 S: An object was deleted from the COM+ Catalog." - href: auditing/event-5889.md - - name: "Event 5890 S: An object was added to the COM+ Catalog." - href: auditing/event-5890.md - - name: Audit Registry - href: auditing/audit-registry.md - items: - - name: "Event 4663 S: An attempt was made to access an object." - href: auditing/event-4663.md - - name: "Event 4656 S, F: A handle to an object was requested." - href: auditing/event-4656.md - - name: "Event 4658 S: The handle to an object was closed." - href: auditing/event-4658.md - - name: "Event 4660 S: An object was deleted." - href: auditing/event-4660.md - - name: "Event 4657 S: A registry value was modified." - href: auditing/event-4657.md - - name: "Event 5039: A registry key was virtualized." - href: auditing/event-5039.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: Audit Removable Storage - href: auditing/audit-removable-storage.md - - name: Audit SAM - href: auditing/audit-sam.md - items: - - name: "Event 4661 S, F: A handle to an object was requested." - href: auditing/event-4661.md - - name: Audit Central Access Policy Staging - href: auditing/audit-central-access-policy-staging.md - items: - - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." - href: auditing/event-4818.md - - name: Audit Audit Policy Change - href: auditing/audit-audit-policy-change.md - items: - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4715 S: The audit policy, SACL, on an object was changed." - href: auditing/event-4715.md - - name: "Event 4719 S: System audit policy was changed." - href: auditing/event-4719.md - - name: "Event 4817 S: Auditing settings on object were changed." - href: auditing/event-4817.md - - name: "Event 4902 S: The Per-user audit policy table was created." - href: auditing/event-4902.md - - name: "Event 4906 S: The CrashOnAuditFail value has changed." - href: auditing/event-4906.md - - name: "Event 4907 S: Auditing settings on object were changed." - href: auditing/event-4907.md - - name: "Event 4908 S: Special Groups Logon table modified." - href: auditing/event-4908.md - - name: "Event 4912 S: Per User Audit Policy was changed." - href: auditing/event-4912.md - - name: "Event 4904 S: An attempt was made to register a security event source." - href: auditing/event-4904.md - - name: "Event 4905 S: An attempt was made to unregister a security event source." - href: auditing/event-4905.md - - name: Audit Authentication Policy Change - href: auditing/audit-authentication-policy-change.md - items: - - name: "Event 4706 S: A new trust was created to a domain." - href: auditing/event-4706.md - - name: "Event 4707 S: A trust to a domain was removed." - href: auditing/event-4707.md - - name: "Event 4716 S: Trusted domain information was modified." - href: auditing/event-4716.md - - name: "Event 4713 S: Kerberos policy was changed." - href: auditing/event-4713.md - - name: "Event 4717 S: System security access was granted to an account." - href: auditing/event-4717.md - - name: "Event 4718 S: System security access was removed from an account." - href: auditing/event-4718.md - - name: "Event 4739 S: Domain Policy was changed." - href: auditing/event-4739.md - - name: "Event 4864 S: A namespace collision was detected." - href: auditing/event-4864.md - - name: "Event 4865 S: A trusted forest information entry was added." - href: auditing/event-4865.md - - name: "Event 4866 S: A trusted forest information entry was removed." - href: auditing/event-4866.md - - name: "Event 4867 S: A trusted forest information entry was modified." - href: auditing/event-4867.md - - name: Audit Authorization Policy Change - href: auditing/audit-authorization-policy-change.md - items: - - name: "Event 4703 S: A user right was adjusted." - href: auditing/event-4703.md - - name: "Event 4704 S: A user right was assigned." - href: auditing/event-4704.md - - name: "Event 4705 S: A user right was removed." - href: auditing/event-4705.md - - name: "Event 4670 S: Permissions on an object were changed." - href: auditing/event-4670.md - - name: "Event 4911 S: Resource attributes of the object were changed." - href: auditing/event-4911.md - - name: "Event 4913 S: Central Access Policy on the object was changed." - href: auditing/event-4913.md - - name: Audit Filtering Platform Policy Change - href: auditing/audit-filtering-platform-policy-change.md - - name: Audit MPSSVC Rule-Level Policy Change - href: auditing/audit-mpssvc-rule-level-policy-change.md - items: - - name: "Event 4944 S: The following policy was active when the Windows Firewall started." - href: auditing/event-4944.md - - name: "Event 4945 S: A rule was listed when the Windows Firewall started." - href: auditing/event-4945.md - - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." - href: auditing/event-4946.md - - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." - href: auditing/event-4947.md - - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." - href: auditing/event-4948.md - - name: "Event 4949 S: Windows Firewall settings were restored to the default values." - href: auditing/event-4949.md - - name: "Event 4950 S: A Windows Firewall setting has changed." - href: auditing/event-4950.md - - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." - href: auditing/event-4951.md - - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." - href: auditing/event-4952.md - - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." - href: auditing/event-4953.md - - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." - href: auditing/event-4954.md - - name: "Event 4956 S: Windows Firewall has changed the active profile." - href: auditing/event-4956.md - - name: "Event 4957 F: Windows Firewall did not apply the following rule." - href: auditing/event-4957.md - - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." - href: auditing/event-4958.md - - name: Audit Other Policy Change Events - href: auditing/audit-other-policy-change-events.md - items: - - name: "Event 4714 S: Encrypted data recovery policy was changed." - href: auditing/event-4714.md - - name: "Event 4819 S: Central Access Policies on the machine have been changed." - href: auditing/event-4819.md - - name: "Event 4826 S: Boot Configuration Data loaded." - href: auditing/event-4826.md - - name: "Event 4909: The local policy settings for the TBS were changed." - href: auditing/event-4909.md - - name: "Event 4910: The group policy settings for the TBS were changed." - href: auditing/event-4910.md - - name: "Event 5063 S, F: A cryptographic provider operation was attempted." - href: auditing/event-5063.md - - name: "Event 5064 S, F: A cryptographic context operation was attempted." - href: auditing/event-5064.md - - name: "Event 5065 S, F: A cryptographic context modification was attempted." - href: auditing/event-5065.md - - name: "Event 5066 S, F: A cryptographic function operation was attempted." - href: auditing/event-5066.md - - name: "Event 5067 S, F: A cryptographic function modification was attempted." - href: auditing/event-5067.md - - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." - href: auditing/event-5068.md - - name: "Event 5069 S, F: A cryptographic function property operation was attempted." - href: auditing/event-5069.md - - name: "Event 5070 S, F: A cryptographic function property modification was attempted." - href: auditing/event-5070.md - - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." - href: auditing/event-5447.md - - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." - href: auditing/event-6144.md - - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." - href: auditing/event-6145.md - - name: Audit Sensitive Privilege Use - href: auditing/audit-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Non Sensitive Privilege Use - href: auditing/audit-non-sensitive-privilege-use.md - items: - - name: "Event 4673 S, F: A privileged service was called." - href: auditing/event-4673.md - - name: "Event 4674 S, F: An operation was attempted on a privileged object." - href: auditing/event-4674.md - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit Other Privilege Use Events - href: auditing/audit-other-privilege-use-events.md - items: - - name: "Event 4985 S: The state of a transaction has changed." - href: auditing/event-4985.md - - name: Audit IPsec Driver - href: auditing/audit-ipsec-driver.md - - name: Audit Other System Events - href: auditing/audit-other-system-events.md - items: - - name: "Event 5024 S: The Windows Firewall Service has started successfully." - href: auditing/event-5024.md - - name: "Event 5025 S: The Windows Firewall Service has been stopped." - href: auditing/event-5025.md - - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." - href: auditing/event-5027.md - - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." - href: auditing/event-5028.md - - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." - href: auditing/event-5029.md - - name: "Event 5030 F: The Windows Firewall Service failed to start." - href: auditing/event-5030.md - - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." - href: auditing/event-5032.md - - name: "Event 5033 S: The Windows Firewall Driver has started successfully." - href: auditing/event-5033.md - - name: "Event 5034 S: The Windows Firewall Driver was stopped." - href: auditing/event-5034.md - - name: "Event 5035 F: The Windows Firewall Driver failed to start." - href: auditing/event-5035.md - - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." - href: auditing/event-5037.md - - name: "Event 5058 S, F: Key file operation." - href: auditing/event-5058.md - - name: "Event 5059 S, F: Key migration operation." - href: auditing/event-5059.md - - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." - href: auditing/event-6400.md - - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." - href: auditing/event-6401.md - - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." - href: auditing/event-6402.md - - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." - href: auditing/event-6403.md - - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." - href: auditing/event-6404.md - - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." - href: auditing/event-6405.md - - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." - href: auditing/event-6406.md - - name: "Event 6407: 1%." - href: auditing/event-6407.md - - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." - href: auditing/event-6408.md - - name: "Event 6409: BranchCache: A service connection point object could not be parsed." - href: auditing/event-6409.md - - name: Audit Security State Change - href: auditing/audit-security-state-change.md - items: - - name: "Event 4608 S: Windows is starting up." - href: auditing/event-4608.md - - name: "Event 4616 S: The system time was changed." - href: auditing/event-4616.md - - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." - href: auditing/event-4621.md - - name: Audit Security System Extension - href: auditing/audit-security-system-extension.md - items: - - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." - href: auditing/event-4610.md - - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." - href: auditing/event-4611.md - - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." - href: auditing/event-4614.md - - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." - href: auditing/event-4622.md - - name: "Event 4697 S: A service was installed in the system." - href: auditing/event-4697.md - - name: Audit System Integrity - href: auditing/audit-system-integrity.md - items: - - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." - href: auditing/event-4612.md - - name: "Event 4615 S: Invalid use of LPC port." - href: auditing/event-4615.md - - name: "Event 4618 S: A monitored security event pattern has occurred." - href: auditing/event-4618.md - - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." - href: auditing/event-4816.md - - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." - href: auditing/event-5038.md - - name: "Event 5056 S: A cryptographic self-test was performed." - href: auditing/event-5056.md - - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." - href: auditing/event-5062.md - - name: "Event 5057 F: A cryptographic primitive operation failed." - href: auditing/event-5057.md - - name: "Event 5060 F: Verification operation failed." - href: auditing/event-5060.md - - name: "Event 5061 S, F: Cryptographic operation." - href: auditing/event-5061.md - - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." - href: auditing/event-6281.md - - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." - href: auditing/event-6410.md - - name: Other Events - href: auditing/other-events.md - items: - - name: "Event 1100 S: The event logging service has shut down." - href: auditing/event-1100.md - - name: "Event 1102 S: The audit log was cleared." - href: auditing/event-1102.md - - name: "Event 1104 S: The security log is now full." - href: auditing/event-1104.md - - name: "Event 1105 S: Event log automatic backup." - href: auditing/event-1105.md - - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." - href: auditing/event-1108.md - - name: "Appendix A: Security monitoring recommendations for many audit events" - href: auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md - - name: Registry (Global Object Access Auditing) - href: auditing/registry-global-object-access-auditing.md - - name: File System (Global Object Access Auditing) - href: auditing/file-system-global-object-access-auditing.md - - name: Security policy settings - href: security-policy-settings/security-policy-settings.md - items: - - name: Administer security policy settings - href: security-policy-settings/administer-security-policy-settings.md - items: - - name: Network List Manager policies - href: security-policy-settings/network-list-manager-policies.md - - name: Configure security policy settings - href: security-policy-settings/how-to-configure-security-policy-settings.md - - name: Security policy settings reference - href: security-policy-settings/security-policy-settings-reference.md - items: - - name: Account Policies - href: security-policy-settings/account-policies.md - items: - - name: Password Policy - href: security-policy-settings/password-policy.md - items: - - name: Enforce password history - href: security-policy-settings/enforce-password-history.md - - name: Maximum password age - href: security-policy-settings/maximum-password-age.md - - name: Minimum password age - href: security-policy-settings/minimum-password-age.md - - name: Minimum password length - href: security-policy-settings/minimum-password-length.md - - name: Password must meet complexity requirements - href: security-policy-settings/password-must-meet-complexity-requirements.md - - name: Store passwords using reversible encryption - href: security-policy-settings/store-passwords-using-reversible-encryption.md - - name: Account Lockout Policy - href: security-policy-settings/account-lockout-policy.md - items: - - name: Account lockout duration - href: security-policy-settings/account-lockout-duration.md - - name: Account lockout threshold - href: security-policy-settings/account-lockout-threshold.md - - name: Reset account lockout counter after - href: security-policy-settings/reset-account-lockout-counter-after.md - - name: Kerberos Policy - href: security-policy-settings/kerberos-policy.md - items: - - name: Enforce user logon restrictions - href: security-policy-settings/enforce-user-logon-restrictions.md - - name: Maximum lifetime for service ticket - href: security-policy-settings/maximum-lifetime-for-service-ticket.md - - name: Maximum lifetime for user ticket - href: security-policy-settings/maximum-lifetime-for-user-ticket.md - - name: Maximum lifetime for user ticket renewal - href: security-policy-settings/maximum-lifetime-for-user-ticket-renewal.md - - name: Maximum tolerance for computer clock synchronization - href: security-policy-settings/maximum-tolerance-for-computer-clock-synchronization.md - - name: Audit Policy - href: security-policy-settings/audit-policy.md - - name: Security Options - href: security-policy-settings/security-options.md - items: - - name: "Accounts: Administrator account status" - href: security-policy-settings/accounts-administrator-account-status.md - - name: "Accounts: Block Microsoft accounts" - href: security-policy-settings/accounts-block-microsoft-accounts.md - - name: "Accounts: Guest account status" - href: security-policy-settings/accounts-guest-account-status.md - - name: "Accounts: Limit local account use of blank passwords to console logon only" - href: security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md - - name: "Accounts: Rename administrator account" - href: security-policy-settings/accounts-rename-administrator-account.md - - name: "Accounts: Rename guest account" - href: security-policy-settings/accounts-rename-guest-account.md - - name: "Audit: Audit the access of global system objects" - href: security-policy-settings/audit-audit-the-access-of-global-system-objects.md - - name: "Audit: Audit the use of Backup and Restore privilege" - href: security-policy-settings/audit-audit-the-use-of-backup-and-restore-privilege.md - - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" - href: security-policy-settings/audit-force-audit-policy-subcategory-settings-to-override.md - - name: "Audit: Shut down system immediately if unable to log security audits" - href: security-policy-settings/audit-shut-down-system-immediately-if-unable-to-log-security-audits.md - - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" - href: security-policy-settings/dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md - - name: "Devices: Allow undock without having to log on" - href: security-policy-settings/devices-allow-undock-without-having-to-log-on.md - - name: "Devices: Allowed to format and eject removable media" - href: security-policy-settings/devices-allowed-to-format-and-eject-removable-media.md - - name: "Devices: Prevent users from installing printer drivers" - href: security-policy-settings/devices-prevent-users-from-installing-printer-drivers.md - - name: "Devices: Restrict CD-ROM access to locally logged-on user only" - href: security-policy-settings/devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md - - name: "Devices: Restrict floppy access to locally logged-on user only" - href: security-policy-settings/devices-restrict-floppy-access-to-locally-logged-on-user-only.md - - name: "Domain controller: Allow server operators to schedule tasks" - href: security-policy-settings/domain-controller-allow-server-operators-to-schedule-tasks.md - - name: "Domain controller: LDAP server signing requirements" - href: security-policy-settings/domain-controller-ldap-server-signing-requirements.md - - name: "Domain controller: Refuse machine account password changes" - href: security-policy-settings/domain-controller-refuse-machine-account-password-changes.md - - name: "Domain member: Digitally encrypt or sign secure channel data (always)" - href: security-policy-settings/domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md - - name: "Domain member: Digitally encrypt secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-encrypt-secure-channel-data-when-possible.md - - name: "Domain member: Digitally sign secure channel data (when possible)" - href: security-policy-settings/domain-member-digitally-sign-secure-channel-data-when-possible.md - - name: "Domain member: Disable machine account password changes" - href: security-policy-settings/domain-member-disable-machine-account-password-changes.md - - name: "Domain member: Maximum machine account password age" - href: security-policy-settings/domain-member-maximum-machine-account-password-age.md - - name: "Domain member: Require strong (Windows 2000 or later) session key" - href: security-policy-settings/domain-member-require-strong-windows-2000-or-later-session-key.md - - name: "Interactive logon: Display user information when the session is locked" - href: security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md - - name: "Interactive logon: Don't display last signed-in" - href: security-policy-settings/interactive-logon-do-not-display-last-user-name.md - - name: "Interactive logon: Don't display username at sign-in" - href: security-policy-settings/interactive-logon-dont-display-username-at-sign-in.md - - name: "Interactive logon: Do not require CTRL+ALT+DEL" - href: security-policy-settings/interactive-logon-do-not-require-ctrl-alt-del.md - - name: "Interactive logon: Machine account lockout threshold" - href: security-policy-settings/interactive-logon-machine-account-lockout-threshold.md - - name: "Interactive logon: Machine inactivity limit" - href: security-policy-settings/interactive-logon-machine-inactivity-limit.md - - name: "Interactive logon: Message text for users attempting to log on" - href: security-policy-settings/interactive-logon-message-text-for-users-attempting-to-log-on.md - - name: "Interactive logon: Message title for users attempting to log on" - href: security-policy-settings/interactive-logon-message-title-for-users-attempting-to-log-on.md - - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" - href: security-policy-settings/interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md - - name: "Interactive logon: Prompt user to change password before expiration" - href: security-policy-settings/interactive-logon-prompt-user-to-change-password-before-expiration.md - - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" - href: security-policy-settings/interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md - - name: "Interactive logon: Require smart card" - href: security-policy-settings/interactive-logon-require-smart-card.md - - name: "Interactive logon: Smart card removal behavior" - href: security-policy-settings/interactive-logon-smart-card-removal-behavior.md - - name: "Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" - href: security-policy-settings/smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md - - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" - href: security-policy-settings/microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md - - name: "Microsoft network server: Amount of idle time required before suspending session" - href: security-policy-settings/microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md - - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" - href: security-policy-settings/microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md - - name: "Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-always.md - - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" - href: security-policy-settings/smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md - - name: "Microsoft network server: Disconnect clients when logon hours expire" - href: security-policy-settings/microsoft-network-server-disconnect-clients-when-logon-hours-expire.md - - name: "Microsoft network server: Server SPN target name validation level" - href: security-policy-settings/microsoft-network-server-server-spn-target-name-validation-level.md - - name: "Network access: Allow anonymous SID/Name translation" - href: security-policy-settings/network-access-allow-anonymous-sidname-translation.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md - - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" - href: security-policy-settings/network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md - - name: "Network access: Do not allow storage of passwords and credentials for network authentication" - href: security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md - - name: "Network access: Let Everyone permissions apply to anonymous users" - href: security-policy-settings/network-access-let-everyone-permissions-apply-to-anonymous-users.md - - name: "Network access: Named Pipes that can be accessed anonymously" - href: security-policy-settings/network-access-named-pipes-that-can-be-accessed-anonymously.md - - name: "Network access: Remotely accessible registry paths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths.md - - name: "Network access: Remotely accessible registry paths and subpaths" - href: security-policy-settings/network-access-remotely-accessible-registry-paths-and-subpaths.md - - name: "Network access: Restrict anonymous access to Named Pipes and Shares" - href: security-policy-settings/network-access-restrict-anonymous-access-to-named-pipes-and-shares.md - - name: "Network access: Restrict clients allowed to make remote calls to SAM" - href: security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md - - name: "Network access: Shares that can be accessed anonymously" - href: security-policy-settings/network-access-shares-that-can-be-accessed-anonymously.md - - name: "Network access: Sharing and security model for local accounts" - href: security-policy-settings/network-access-sharing-and-security-model-for-local-accounts.md - - name: "Network security: Allow Local System to use computer identity for NTLM" - href: security-policy-settings/network-security-allow-local-system-to-use-computer-identity-for-ntlm.md - - name: "Network security: Allow LocalSystem NULL session fallback" - href: security-policy-settings/network-security-allow-localsystem-null-session-fallback.md - - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" - href: security-policy-settings/network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md - - name: "Network security: Configure encryption types allowed for Kerberos" - href: security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md - - name: "Network security: Do not store LAN Manager hash value on next password change" - href: security-policy-settings/network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md - - name: "Network security: Force logoff when logon hours expire" - href: security-policy-settings/network-security-force-logoff-when-logon-hours-expire.md - - name: "Network security: LAN Manager authentication level" - href: security-policy-settings/network-security-lan-manager-authentication-level.md - - name: "Network security: LDAP client signing requirements" - href: security-policy-settings/network-security-ldap-client-signing-requirements.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md - - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" - href: security-policy-settings/network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md - - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" - href: security-policy-settings/network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md - - name: "Network security: Restrict NTLM: Add server exceptions in this domain" - href: security-policy-settings/network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md - - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Incoming NTLM traffic" - href: security-policy-settings/network-security-restrict-ntlm-incoming-ntlm-traffic.md - - name: "Network security: Restrict NTLM: NTLM authentication in this domain" - href: security-policy-settings/network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md - - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" - href: security-policy-settings/network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md - - name: "Recovery console: Allow automatic administrative logon" - href: security-policy-settings/recovery-console-allow-automatic-administrative-logon.md - - name: "Recovery console: Allow floppy copy and access to all drives and folders" - href: security-policy-settings/recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md - - name: "Shutdown: Allow system to be shut down without having to log on" - href: security-policy-settings/shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md - - name: "Shutdown: Clear virtual memory pagefile" - href: security-policy-settings/shutdown-clear-virtual-memory-pagefile.md - - name: "System cryptography: Force strong key protection for user keys stored on the computer" - href: security-policy-settings/system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md - - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" - href: security-policy-settings/system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md - - name: "System objects: Require case insensitivity for non-Windows subsystems" - href: security-policy-settings/system-objects-require-case-insensitivity-for-non-windows-subsystems.md - - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" - href: security-policy-settings/system-objects-strengthen-default-permissions-of-internal-system-objects.md - - name: "System settings: Optional subsystems" - href: security-policy-settings/system-settings-optional-subsystems.md - - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" - href: security-policy-settings/system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md - - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" - href: security-policy-settings/user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md - - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" - href: security-policy-settings/user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md - - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md - - name: "User Account Control: Behavior of the elevation prompt for standard users" - href: security-policy-settings/user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md - - name: "User Account Control: Detect application installations and prompt for elevation" - href: security-policy-settings/user-account-control-detect-application-installations-and-prompt-for-elevation.md - - name: "User Account Control: Only elevate executables that are signed and validated" - href: security-policy-settings/user-account-control-only-elevate-executables-that-are-signed-and-validated.md - - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" - href: security-policy-settings/user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md - - name: "User Account Control: Run all administrators in Admin Approval Mode" - href: security-policy-settings/user-account-control-run-all-administrators-in-admin-approval-mode.md - - name: "User Account Control: Switch to the secure desktop when prompting for elevation" - href: security-policy-settings/user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md - - name: "User Account Control: Virtualize file and registry write failures to per-user locations" - href: security-policy-settings/user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md - - name: Advanced security audit policy settings - href: security-policy-settings/secpol-advanced-security-audit-policy-settings.md - - name: User Rights Assignment - href: security-policy-settings/user-rights-assignment.md - items: - - name: Access Credential Manager as a trusted caller - href: security-policy-settings/access-credential-manager-as-a-trusted-caller.md - - name: Access this computer from the network - href: security-policy-settings/access-this-computer-from-the-network.md - - name: Act as part of the operating system - href: security-policy-settings/act-as-part-of-the-operating-system.md - - name: Add workstations to domain - href: security-policy-settings/add-workstations-to-domain.md - - name: Adjust memory quotas for a process - href: security-policy-settings/adjust-memory-quotas-for-a-process.md - - name: Allow log on locally - href: security-policy-settings/allow-log-on-locally.md - - name: Allow log on through Remote Desktop Services - href: security-policy-settings/allow-log-on-through-remote-desktop-services.md - - name: Back up files and directories - href: security-policy-settings/back-up-files-and-directories.md - - name: Bypass traverse checking - href: security-policy-settings/bypass-traverse-checking.md - - name: Change the system time - href: security-policy-settings/change-the-system-time.md - - name: Change the time zone - href: security-policy-settings/change-the-time-zone.md - - name: Create a pagefile - href: security-policy-settings/create-a-pagefile.md - - name: Create a token object - href: security-policy-settings/create-a-token-object.md - - name: Create global objects - href: security-policy-settings/create-global-objects.md - - name: Create permanent shared objects - href: security-policy-settings/create-permanent-shared-objects.md - - name: Create symbolic links - href: security-policy-settings/create-symbolic-links.md - - name: Debug programs - href: security-policy-settings/debug-programs.md - - name: Deny access to this computer from the network - href: security-policy-settings/deny-access-to-this-computer-from-the-network.md - - name: Deny log on as a batch job - href: security-policy-settings/deny-log-on-as-a-batch-job.md - - name: Deny log on as a service - href: security-policy-settings/deny-log-on-as-a-service.md - - name: Deny log on locally - href: security-policy-settings/deny-log-on-locally.md - - name: Deny log on through Remote Desktop Services - href: security-policy-settings/deny-log-on-through-remote-desktop-services.md - - name: Enable computer and user accounts to be trusted for delegation - href: security-policy-settings/enable-computer-and-user-accounts-to-be-trusted-for-delegation.md - - name: Force shutdown from a remote system - href: security-policy-settings/force-shutdown-from-a-remote-system.md - - name: Generate security audits - href: security-policy-settings/generate-security-audits.md - - name: Impersonate a client after authentication - href: security-policy-settings/impersonate-a-client-after-authentication.md - - name: Increase a process working set - href: security-policy-settings/increase-a-process-working-set.md - - name: Increase scheduling priority - href: security-policy-settings/increase-scheduling-priority.md - - name: Load and unload device drivers - href: security-policy-settings/load-and-unload-device-drivers.md - - name: Lock pages in memory - href: security-policy-settings/lock-pages-in-memory.md - - name: Log on as a batch job - href: security-policy-settings/log-on-as-a-batch-job.md - - name: Log on as a service - href: security-policy-settings/log-on-as-a-service.md - - name: Manage auditing and security log - href: security-policy-settings/manage-auditing-and-security-log.md - - name: Modify an object label - href: security-policy-settings/modify-an-object-label.md - - name: Modify firmware environment values - href: security-policy-settings/modify-firmware-environment-values.md - - name: Perform volume maintenance tasks - href: security-policy-settings/perform-volume-maintenance-tasks.md - - name: Profile single process - href: security-policy-settings/profile-single-process.md - - name: Profile system performance - href: security-policy-settings/profile-system-performance.md - - name: Remove computer from docking station - href: security-policy-settings/remove-computer-from-docking-station.md - - name: Replace a process level token - href: security-policy-settings/replace-a-process-level-token.md - - name: Restore files and directories - href: security-policy-settings/restore-files-and-directories.md - - name: Shut down the system - href: security-policy-settings/shut-down-the-system.md - - name: Synchronize directory service data - href: security-policy-settings/synchronize-directory-service-data.md - - name: Take ownership of files or other objects - href: security-policy-settings/take-ownership-of-files-or-other-objects.md - - name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-configuration-framework/windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: windows-security-configuration-framework/security-compliance-toolkit-10.md - - name: Get support - href: windows-security-configuration-framework/get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/auditing/TOC.yml b/windows/security/threat-protection/auditing/TOC.yml new file mode 100644 index 0000000000..4f122c5d8e --- /dev/null +++ b/windows/security/threat-protection/auditing/TOC.yml @@ -0,0 +1,767 @@ + - name: Security auditing + href: security-auditing-overview.md + items: + - name: Basic security audit policies + href: basic-security-audit-policies.md + items: + - name: Create a basic audit policy for an event category + href: create-a-basic-audit-policy-settings-for-an-event-category.md + - name: Apply a basic audit policy on a file or folder + href: apply-a-basic-audit-policy-on-a-file-or-folder.md + - name: View the security event log + href: view-the-security-event-log.md + - name: Basic security audit policy settings + href: basic-security-audit-policy-settings.md + items: + - name: Audit account logon events + href: basic-audit-account-logon-events.md + - name: Audit account management + href: basic-audit-account-management.md + - name: Audit directory service access + href: basic-audit-directory-service-access.md + - name: Audit logon events + href: basic-audit-logon-events.md + - name: Audit object access + href: basic-audit-object-access.md + - name: Audit policy change + href: basic-audit-policy-change.md + - name: Audit privilege use + href: basic-audit-privilege-use.md + - name: Audit process tracking + href: basic-audit-process-tracking.md + - name: Audit system events + href: basic-audit-system-events.md + - name: Advanced security audit policies + href: advanced-security-auditing.md + items: + - name: Planning and deploying advanced security audit policies + href: planning-and-deploying-advanced-security-audit-policies.md + - name: Advanced security auditing FAQ + href: advanced-security-auditing-faq.yml + items: + - name: Which editions of Windows support advanced audit policy configuration + href: which-editions-of-windows-support-advanced-audit-policy-configuration.md + - name: How to list XML elements in \ + href: how-to-list-xml-elements-in-eventdata.md + - name: Using advanced security auditing options to monitor dynamic access control objects + href: using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md + items: + - name: Monitor the central access policies that apply on a file server + href: monitor-the-central-access-policies-that-apply-on-a-file-server.md + - name: Monitor the use of removable storage devices + href: monitor-the-use-of-removable-storage-devices.md + - name: Monitor resource attribute definitions + href: monitor-resource-attribute-definitions.md + - name: Monitor central access policy and rule definitions + href: monitor-central-access-policy-and-rule-definitions.md + - name: Monitor user and device claims during sign-in + href: monitor-user-and-device-claims-during-sign-in.md + - name: Monitor the resource attributes on files and folders + href: monitor-the-resource-attributes-on-files-and-folders.md + - name: Monitor the central access policies associated with files and folders + href: monitor-the-central-access-policies-associated-with-files-and-folders.md + - name: Monitor claim types + href: monitor-claim-types.md + - name: Advanced security audit policy settings + href: advanced-security-audit-policy-settings.md + items: + - name: Audit Credential Validation + href: audit-credential-validation.md + - name: "Event 4774 S, F: An account was mapped for logon." + href: event-4774.md + - name: "Event 4775 F: An account could not be mapped for logon." + href: event-4775.md + - name: "Event 4776 S, F: The computer attempted to validate the credentials for an account." + href: event-4776.md + - name: "Event 4777 F: The domain controller failed to validate the credentials for an account." + href: event-4777.md + - name: Audit Kerberos Authentication Service + href: audit-kerberos-authentication-service.md + items: + - name: "Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested." + href: event-4768.md + - name: "Event 4771 F: Kerberos pre-authentication failed." + href: event-4771.md + - name: "Event 4772 F: A Kerberos authentication ticket request failed." + href: event-4772.md + - name: Audit Kerberos Service Ticket Operations + href: audit-kerberos-service-ticket-operations.md + items: + - name: "Event 4769 S, F: A Kerberos service ticket was requested." + href: event-4769.md + - name: "Event 4770 S: A Kerberos service ticket was renewed." + href: event-4770.md + - name: "Event 4773 F: A Kerberos service ticket request failed." + href: event-4773.md + - name: Audit Other Account Logon Events + href: audit-other-account-logon-events.md + - name: Audit Application Group Management + href: audit-application-group-management.md + - name: Audit Computer Account Management + href: audit-computer-account-management.md + items: + - name: "Event 4741 S: A computer account was created." + href: event-4741.md + - name: "Event 4742 S: A computer account was changed." + href: event-4742.md + - name: "Event 4743 S: A computer account was deleted." + href: event-4743.md + - name: Audit Distribution Group Management + href: audit-distribution-group-management.md + items: + - name: "Event 4749 S: A security-disabled global group was created." + href: event-4749.md + - name: "Event 4750 S: A security-disabled global group was changed." + href: event-4750.md + - name: "Event 4751 S: A member was added to a security-disabled global group." + href: event-4751.md + - name: "Event 4752 S: A member was removed from a security-disabled global group." + href: event-4752.md + - name: "Event 4753 S: A security-disabled global group was deleted." + href: event-4753.md + - name: Audit Other Account Management Events + href: audit-other-account-management-events.md + items: + - name: "Event 4782 S: The password hash of an account was accessed." + href: event-4782.md + - name: "Event 4793 S: The Password Policy Checking API was called." + href: event-4793.md + - name: Audit Security Group Management + href: audit-security-group-management.md + items: + - name: "Event 4731 S: A security-enabled local group was created." + href: event-4731.md + - name: "Event 4732 S: A member was added to a security-enabled local group." + href: event-4732.md + - name: "Event 4733 S: A member was removed from a security-enabled local group." + href: event-4733.md + - name: "Event 4734 S: A security-enabled local group was deleted." + href: event-4734.md + - name: "Event 4735 S: A security-enabled local group was changed." + href: event-4735.md + - name: "Event 4764 S: A group�s type was changed." + href: event-4764.md + - name: "Event 4799 S: A security-enabled local group membership was enumerated." + href: event-4799.md + - name: Audit User Account Management + href: audit-user-account-management.md + items: + - name: "Event 4720 S: A user account was created." + href: event-4720.md + - name: "Event 4722 S: A user account was enabled." + href: event-4722.md + - name: "Event 4723 S, F: An attempt was made to change an account's password." + href: event-4723.md + - name: "Event 4724 S, F: An attempt was made to reset an account's password." + href: event-4724.md + - name: "Event 4725 S: A user account was disabled." + href: event-4725.md + - name: "Event 4726 S: A user account was deleted." + href: event-4726.md + - name: "Event 4738 S: A user account was changed." + href: event-4738.md + - name: "Event 4740 S: A user account was locked out." + href: event-4740.md + - name: "Event 4765 S: SID History was added to an account." + href: event-4765.md + - name: "Event 4766 F: An attempt to add SID History to an account failed." + href: event-4766.md + - name: "Event 4767 S: A user account was unlocked." + href: event-4767.md + - name: "Event 4780 S: The ACL was set on accounts that are members of administrators groups." + href: event-4780.md + - name: "Event 4781 S: The name of an account was changed." + href: event-4781.md + - name: "Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password." + href: event-4794.md + - name: "Event 4798 S: A user's local group membership was enumerated." + href: event-4798.md + - name: "Event 5376 S: Credential Manager credentials were backed up." + href: event-5376.md + - name: "Event 5377 S: Credential Manager credentials were restored from a backup." + href: event-5377.md + - name: Audit DPAPI Activity + href: audit-dpapi-activity.md + items: + - name: "Event 4692 S, F: Backup of data protection master key was attempted." + href: event-4692.md + - name: "Event 4693 S, F: Recovery of data protection master key was attempted." + href: event-4693.md + - name: "Event 4694 S, F: Protection of auditable protected data was attempted." + href: event-4694.md + - name: "Event 4695 S, F: Unprotection of auditable protected data was attempted." + href: event-4695.md + - name: Audit PNP Activity + href: audit-pnp-activity.md + items: + - name: "Event 6416 S: A new external device was recognized by the System." + href: event-6416.md + - name: "Event 6419 S: A request was made to disable a device." + href: event-6419.md + - name: "Event 6420 S: A device was disabled." + href: event-6420.md + - name: "Event 6421 S: A request was made to enable a device." + href: event-6421.md + - name: "Event 6422 S: A device was enabled." + href: event-6422.md + - name: "Event 6423 S: The installation of this device is forbidden by system policy." + href: event-6423.md + - name: "Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy." + href: event-6424.md + - name: Audit Process Creation + href: audit-process-creation.md + items: + - name: "Event 4688 S: A new process has been created." + href: event-4688.md + - name: "Event 4696 S: A primary token was assigned to process." + href: event-4696.md + - name: Audit Process Termination + href: audit-process-termination.md + items: + - name: "Event 4689 S: A process has exited." + href: event-4689.md + - name: Audit RPC Events + href: audit-rpc-events.md + items: + - name: "Event 5712 S: A Remote Procedure Call, RPC, was attempted." + href: event-5712.md + - name: Audit Token Right Adjusted + href: audit-token-right-adjusted.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: Audit Detailed Directory Service Replication + href: audit-detailed-directory-service-replication.md + items: + - name: "Event 4928 S, F: An Active Directory replica source naming context was established." + href: event-4928.md + - name: "Event 4929 S, F: An Active Directory replica source naming context was removed." + href: event-4929.md + - name: "Event 4930 S, F: An Active Directory replica source naming context was modified." + href: event-4930.md + - name: "Event 4931 S, F: An Active Directory replica destination naming context was modified." + href: event-4931.md + - name: "Event 4934 S: Attributes of an Active Directory object were replicated." + href: event-4934.md + - name: "Event 4935 F: Replication failure begins." + href: event-4935.md + - name: "Event 4936 S: Replication failure ends." + href: event-4936.md + - name: "Event 4937 S: A lingering object was removed from a replica." + href: event-4937.md + - name: Audit Directory Service Access + href: audit-directory-service-access.md + items: + - name: "Event 4662 S, F: An operation was performed on an object." + href: event-4662.md + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Directory Service Changes + href: audit-directory-service-changes.md + items: + - name: "Event 5136 S: A directory service object was modified." + href: event-5136.md + - name: "Event 5137 S: A directory service object was created." + href: event-5137.md + - name: "Event 5138 S: A directory service object was undeleted." + href: event-5138.md + - name: "Event 5139 S: A directory service object was moved." + href: event-5139.md + - name: "Event 5141 S: A directory service object was deleted." + href: event-5141.md + - name: Audit Directory Service Replication + href: audit-directory-service-replication.md + items: + - name: "Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun." + href: event-4932.md + - name: "Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended." + href: event-4933.md + - name: Audit Account Lockout + href: audit-account-lockout.md + items: + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: Audit User/Device Claims + href: audit-user-device-claims.md + items: + - name: "Event 4626 S: User/Device claims information." + href: event-4626.md + - name: Audit Group Membership + href: audit-group-membership.md + items: + - name: "Event 4627 S: Group membership information." + href: event-4627.md + - name: Audit IPsec Extended Mode + href: audit-ipsec-extended-mode.md + - name: Audit IPsec Main Mode + href: audit-ipsec-main-mode.md + - name: Audit IPsec Quick Mode + href: audit-ipsec-quick-mode.md + - name: Audit Logoff + href: audit-logoff.md + items: + - name: "Event 4634 S: An account was logged off." + href: event-4634.md + - name: "Event 4647 S: User initiated logoff." + href: event-4647.md + - name: Audit Logon + href: audit-logon.md + items: + - name: "Event 4624 S: An account was successfully logged on." + href: event-4624.md + - name: "Event 4625 F: An account failed to log on." + href: event-4625.md + - name: "Event 4648 S: A logon was attempted using explicit credentials." + href: event-4648.md + - name: "Event 4675 S: SIDs were filtered." + href: event-4675.md + - name: Audit Network Policy Server + href: audit-network-policy-server.md + - name: Audit Other Logon/Logoff Events + href: audit-other-logonlogoff-events.md + items: + - name: "Event 4649 S: A replay attack was detected." + href: event-4649.md + - name: "Event 4778 S: A session was reconnected to a Window Station." + href: event-4778.md + - name: "Event 4779 S: A session was disconnected from a Window Station." + href: event-4779.md + - name: "Event 4800 S: The workstation was locked." + href: event-4800.md + - name: "Event 4801 S: The workstation was unlocked." + href: event-4801.md + - name: "Event 4802 S: The screen saver was invoked." + href: event-4802.md + - name: "Event 4803 S: The screen saver was dismissed." + href: event-4803.md + - name: "Event 5378 F: The requested credentials delegation was disallowed by policy." + href: event-5378.md + - name: "Event 5632 S, F: A request was made to authenticate to a wireless network." + href: event-5632.md + - name: "Event 5633 S, F: A request was made to authenticate to a wired network." + href: event-5633.md + - name: Audit Special Logon + href: audit-special-logon.md + items: + - name: "Event 4964 S: Special groups have been assigned to a new logon." + href: event-4964.md + - name: "Event 4672 S: Special privileges assigned to new logon." + href: event-4672.md + - name: Audit Application Generated + href: audit-application-generated.md + - name: Audit Certification Services + href: audit-certification-services.md + - name: Audit Detailed File Share + href: audit-detailed-file-share.md + items: + - name: "Event 5145 S, F: A network share object was checked to see whether client can be granted desired access." + href: event-5145.md + - name: Audit File Share + href: audit-file-share.md + items: + - name: "Event 5140 S, F: A network share object was accessed." + href: event-5140.md + - name: "Event 5142 S: A network share object was added." + href: event-5142.md + - name: "Event 5143 S: A network share object was modified." + href: event-5143.md + - name: "Event 5144 S: A network share object was deleted." + href: event-5144.md + - name: "Event 5168 F: SPN check for SMB/SMB2 failed." + href: event-5168.md + - name: Audit File System + href: audit-file-system.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4664 S: An attempt was made to create a hard link." + href: event-4664.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: "Event 5051: A file was virtualized." + href: event-5051.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Filtering Platform Connection + href: audit-filtering-platform-connection.md + items: + - name: "Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network." + href: event-5031.md + - name: "Event 5150: The Windows Filtering Platform blocked a packet." + href: event-5150.md + - name: "Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5151.md + - name: "Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections." + href: event-5154.md + - name: "Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections." + href: event-5155.md + - name: "Event 5156 S: The Windows Filtering Platform has permitted a connection." + href: event-5156.md + - name: "Event 5157 F: The Windows Filtering Platform has blocked a connection." + href: event-5157.md + - name: "Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port." + href: event-5158.md + - name: "Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port." + href: event-5159.md + - name: Audit Filtering Platform Packet Drop + href: audit-filtering-platform-packet-drop.md + items: + - name: "Event 5152 F: The Windows Filtering Platform blocked a packet." + href: event-5152.md + - name: "Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet." + href: event-5153.md + - name: Audit Handle Manipulation + href: audit-handle-manipulation.md + items: + - name: "Event 4690 S: An attempt was made to duplicate a handle to an object." + href: event-4690.md + - name: Audit Kernel Object + href: audit-kernel-object.md + items: + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: Audit Other Object Access Events + href: audit-other-object-access-events.md + items: + - name: "Event 4671: An application attempted to access a blocked ordinal through the TBS." + href: event-4671.md + - name: "Event 4691 S: Indirect access to an object was requested." + href: event-4691.md + - name: "Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded." + href: event-5148.md + - name: "Event 5149 F: The DoS attack has subsided and normal processing is being resumed." + href: event-5149.md + - name: "Event 4698 S: A scheduled task was created." + href: event-4698.md + - name: "Event 4699 S: A scheduled task was deleted." + href: event-4699.md + - name: "Event 4700 S: A scheduled task was enabled." + href: event-4700.md + - name: "Event 4701 S: A scheduled task was disabled." + href: event-4701.md + - name: "Event 4702 S: A scheduled task was updated." + href: event-4702.md + - name: "Event 5888 S: An object in the COM+ Catalog was modified." + href: event-5888.md + - name: "Event 5889 S: An object was deleted from the COM+ Catalog." + href: event-5889.md + - name: "Event 5890 S: An object was added to the COM+ Catalog." + href: event-5890.md + - name: Audit Registry + href: audit-registry.md + items: + - name: "Event 4663 S: An attempt was made to access an object." + href: event-4663.md + - name: "Event 4656 S, F: A handle to an object was requested." + href: event-4656.md + - name: "Event 4658 S: The handle to an object was closed." + href: event-4658.md + - name: "Event 4660 S: An object was deleted." + href: event-4660.md + - name: "Event 4657 S: A registry value was modified." + href: event-4657.md + - name: "Event 5039: A registry key was virtualized." + href: event-5039.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: Audit Removable Storage + href: audit-removable-storage.md + - name: Audit SAM + href: audit-sam.md + items: + - name: "Event 4661 S, F: A handle to an object was requested." + href: event-4661.md + - name: Audit Central Access Policy Staging + href: audit-central-access-policy-staging.md + items: + - name: "Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy." + href: event-4818.md + - name: Audit Audit Policy Change + href: audit-audit-policy-change.md + items: + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4715 S: The audit policy, SACL, on an object was changed." + href: event-4715.md + - name: "Event 4719 S: System audit policy was changed." + href: event-4719.md + - name: "Event 4817 S: Auditing settings on object were changed." + href: event-4817.md + - name: "Event 4902 S: The Per-user audit policy table was created." + href: event-4902.md + - name: "Event 4906 S: The CrashOnAuditFail value has changed." + href: event-4906.md + - name: "Event 4907 S: Auditing settings on object were changed." + href: event-4907.md + - name: "Event 4908 S: Special Groups Logon table modified." + href: event-4908.md + - name: "Event 4912 S: Per User Audit Policy was changed." + href: event-4912.md + - name: "Event 4904 S: An attempt was made to register a security event source." + href: event-4904.md + - name: "Event 4905 S: An attempt was made to unregister a security event source." + href: event-4905.md + - name: Audit Authentication Policy Change + href: audit-authentication-policy-change.md + items: + - name: "Event 4706 S: A new trust was created to a domain." + href: event-4706.md + - name: "Event 4707 S: A trust to a domain was removed." + href: event-4707.md + - name: "Event 4716 S: Trusted domain information was modified." + href: event-4716.md + - name: "Event 4713 S: Kerberos policy was changed." + href: event-4713.md + - name: "Event 4717 S: System security access was granted to an account." + href: event-4717.md + - name: "Event 4718 S: System security access was removed from an account." + href: event-4718.md + - name: "Event 4739 S: Domain Policy was changed." + href: event-4739.md + - name: "Event 4864 S: A namespace collision was detected." + href: event-4864.md + - name: "Event 4865 S: A trusted forest information entry was added." + href: event-4865.md + - name: "Event 4866 S: A trusted forest information entry was removed." + href: event-4866.md + - name: "Event 4867 S: A trusted forest information entry was modified." + href: event-4867.md + - name: Audit Authorization Policy Change + href: audit-authorization-policy-change.md + items: + - name: "Event 4703 S: A user right was adjusted." + href: event-4703.md + - name: "Event 4704 S: A user right was assigned." + href: event-4704.md + - name: "Event 4705 S: A user right was removed." + href: event-4705.md + - name: "Event 4670 S: Permissions on an object were changed." + href: event-4670.md + - name: "Event 4911 S: Resource attributes of the object were changed." + href: event-4911.md + - name: "Event 4913 S: Central Access Policy on the object was changed." + href: event-4913.md + - name: Audit Filtering Platform Policy Change + href: audit-filtering-platform-policy-change.md + - name: Audit MPSSVC Rule-Level Policy Change + href: audit-mpssvc-rule-level-policy-change.md + items: + - name: "Event 4944 S: The following policy was active when the Windows Firewall started." + href: event-4944.md + - name: "Event 4945 S: A rule was listed when the Windows Firewall started." + href: event-4945.md + - name: "Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added." + href: event-4946.md + - name: "Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified." + href: event-4947.md + - name: "Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted." + href: event-4948.md + - name: "Event 4949 S: Windows Firewall settings were restored to the default values." + href: event-4949.md + - name: "Event 4950 S: A Windows Firewall setting has changed." + href: event-4950.md + - name: "Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall." + href: event-4951.md + - name: "Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced." + href: event-4952.md + - name: "Event 4953 F: Windows Firewall ignored a rule because it could not be parsed." + href: event-4953.md + - name: "Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied." + href: event-4954.md + - name: "Event 4956 S: Windows Firewall has changed the active profile." + href: event-4956.md + - name: "Event 4957 F: Windows Firewall did not apply the following rule." + href: event-4957.md + - name: "Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer." + href: event-4958.md + - name: Audit Other Policy Change Events + href: audit-other-policy-change-events.md + items: + - name: "Event 4714 S: Encrypted data recovery policy was changed." + href: event-4714.md + - name: "Event 4819 S: Central Access Policies on the machine have been changed." + href: event-4819.md + - name: "Event 4826 S: Boot Configuration Data loaded." + href: event-4826.md + - name: "Event 4909: The local policy settings for the TBS were changed." + href: event-4909.md + - name: "Event 4910: The group policy settings for the TBS were changed." + href: event-4910.md + - name: "Event 5063 S, F: A cryptographic provider operation was attempted." + href: event-5063.md + - name: "Event 5064 S, F: A cryptographic context operation was attempted." + href: event-5064.md + - name: "Event 5065 S, F: A cryptographic context modification was attempted." + href: event-5065.md + - name: "Event 5066 S, F: A cryptographic function operation was attempted." + href: event-5066.md + - name: "Event 5067 S, F: A cryptographic function modification was attempted." + href: event-5067.md + - name: "Event 5068 S, F: A cryptographic function provider operation was attempted." + href: event-5068.md + - name: "Event 5069 S, F: A cryptographic function property operation was attempted." + href: event-5069.md + - name: "Event 5070 S, F: A cryptographic function property modification was attempted." + href: event-5070.md + - name: "Event 5447 S: A Windows Filtering Platform filter has been changed." + href: event-5447.md + - name: "Event 6144 S: Security policy in the group policy objects has been applied successfully." + href: event-6144.md + - name: "Event 6145 F: One or more errors occurred while processing security policy in the group policy objects." + href: event-6145.md + - name: Audit Sensitive Privilege Use + href: audit-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Non Sensitive Privilege Use + href: audit-non-sensitive-privilege-use.md + items: + - name: "Event 4673 S, F: A privileged service was called." + href: event-4673.md + - name: "Event 4674 S, F: An operation was attempted on a privileged object." + href: event-4674.md + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit Other Privilege Use Events + href: audit-other-privilege-use-events.md + items: + - name: "Event 4985 S: The state of a transaction has changed." + href: event-4985.md + - name: Audit IPsec Driver + href: audit-ipsec-driver.md + - name: Audit Other System Events + href: audit-other-system-events.md + items: + - name: "Event 5024 S: The Windows Firewall Service has started successfully." + href: event-5024.md + - name: "Event 5025 S: The Windows Firewall Service has been stopped." + href: event-5025.md + - name: "Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy." + href: event-5027.md + - name: "Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy." + href: event-5028.md + - name: "Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy." + href: event-5029.md + - name: "Event 5030 F: The Windows Firewall Service failed to start." + href: event-5030.md + - name: "Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network." + href: event-5032.md + - name: "Event 5033 S: The Windows Firewall Driver has started successfully." + href: event-5033.md + - name: "Event 5034 S: The Windows Firewall Driver was stopped." + href: event-5034.md + - name: "Event 5035 F: The Windows Firewall Driver failed to start." + href: event-5035.md + - name: "Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating." + href: event-5037.md + - name: "Event 5058 S, F: Key file operation." + href: event-5058.md + - name: "Event 5059 S, F: Key migration operation." + href: event-5059.md + - name: "Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content." + href: event-6400.md + - name: "Event 6401: BranchCache: Received invalid data from a peer. Data discarded." + href: event-6401.md + - name: "Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted." + href: event-6402.md + - name: "Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client." + href: event-6403.md + - name: "Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate." + href: event-6404.md + - name: "Event 6405: BranchCache: %2 instances of event id %1 occurred." + href: event-6405.md + - name: "Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2." + href: event-6406.md + - name: "Event 6407: 1%." + href: event-6407.md + - name: "Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2." + href: event-6408.md + - name: "Event 6409: BranchCache: A service connection point object could not be parsed." + href: event-6409.md + - name: Audit Security State Change + href: audit-security-state-change.md + items: + - name: "Event 4608 S: Windows is starting up." + href: event-4608.md + - name: "Event 4616 S: The system time was changed." + href: event-4616.md + - name: "Event 4621 S: Administrator recovered system from CrashOnAuditFail." + href: event-4621.md + - name: Audit Security System Extension + href: audit-security-system-extension.md + items: + - name: "Event 4610 S: An authentication package has been loaded by the Local Security Authority." + href: event-4610.md + - name: "Event 4611 S: A trusted logon process has been registered with the Local Security Authority." + href: event-4611.md + - name: "Event 4614 S: A notification package has been loaded by the Security Account Manager." + href: event-4614.md + - name: "Event 4622 S: A security package has been loaded by the Local Security Authority." + href: event-4622.md + - name: "Event 4697 S: A service was installed in the system." + href: event-4697.md + - name: Audit System Integrity + href: audit-system-integrity.md + items: + - name: "Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits." + href: event-4612.md + - name: "Event 4615 S: Invalid use of LPC port." + href: event-4615.md + - name: "Event 4618 S: A monitored security event pattern has occurred." + href: event-4618.md + - name: "Event 4816 S: RPC detected an integrity violation while decrypting an incoming message." + href: event-4816.md + - name: "Event 5038 F: Code integrity determined that the image hash of a file is not valid." + href: event-5038.md + - name: "Event 5056 S: A cryptographic self-test was performed." + href: event-5056.md + - name: "Event 5062 S: A kernel-mode cryptographic self-test was performed." + href: event-5062.md + - name: "Event 5057 F: A cryptographic primitive operation failed." + href: event-5057.md + - name: "Event 5060 F: Verification operation failed." + href: event-5060.md + - name: "Event 5061 S, F: Cryptographic operation." + href: event-5061.md + - name: "Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid." + href: event-6281.md + - name: "Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process." + href: event-6410.md + - name: Other Events + href: other-events.md + items: + - name: "Event 1100 S: The event logging service has shut down." + href: event-1100.md + - name: "Event 1102 S: The audit log was cleared." + href: event-1102.md + - name: "Event 1104 S: The security log is now full." + href: event-1104.md + - name: "Event 1105 S: Event log automatic backup." + href: event-1105.md + - name: "Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1." + href: event-1108.md + - name: "Appendix A: Security monitoring recommendations for many audit events" + href: appendix-a-security-monitoring-recommendations-for-many-audit-events.md + - name: Registry (Global Object Access Auditing) + href: registry-global-object-access-auditing.md + - name: File System (Global Object Access Auditing) + href: file-system-global-object-access-auditing.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md index c1ffec9b59..3fff0198ed 100644 --- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md +++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md @@ -13,7 +13,7 @@ author: dansimp ms.author: dansimp ms.date: 08/14/2017 ms.localizationpriority: medium -ms.technology: mde +ms.technology: other --- # Block untrusted fonts in an enterprise diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md index 9b2b985db5..fc40dc48df 100644 --- a/windows/security/threat-protection/fips-140-validation.md +++ b/windows/security/threat-protection/fips-140-validation.md @@ -10,7 +10,7 @@ ms.collection: M365-identity-device-management ms.topic: article ms.localizationpriority: medium ms.reviewer: -ms.technology: mde +ms.technology: other --- # FIPS 140-2 Validation @@ -6780,7 +6780,7 @@ Version 6.3.9600 #### SP 800-132 Password-Based Key Derivation Function (PBKDF) - +
Modes / States / Key Sizes diff --git a/windows/security/threat-protection/images/simplified-sdl.png b/windows/security/threat-protection/images/simplified-sdl.png new file mode 100644 index 0000000000..97c7448b8c Binary files /dev/null and b/windows/security/threat-protection/images/simplified-sdl.png differ diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index f299d99657..7baa36b1a0 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -1,149 +1,51 @@ --- -title: Threat Protection (Windows 10) -description: Microsoft Defender for Endpoint is a unified platform for preventative protection, post-breach detection, automated investigation, and response. -keywords: threat protection, Microsoft Defender Advanced Threat Protection, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection +title: Windows threat protection +description: Describes the security capabilities in Windows client focused on threat protection +keywords: threat protection, Microsoft Defender Antivirus, attack surface reduction, next-generation protection, endpoint detection and response, automated investigation and response, microsoft threat experts, Microsoft Secure Score for Devices, advanced hunting, cyber threat hunting, web threat protection search.product: eADQiWindows 10XVcnh ms.prod: m365-security ms.mktglfcycl: deploy ms.sitesec: library ms.pagetype: security -ms.author: macapara -author: mjcaparas +ms.author: dansimp +author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.technology: mde +ms.technology: windows-sec --- -# Threat Protection +# Windows threat protection **Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) -- [Microsoft 365 Defender](/microsoft-365/security/defender/microsoft-365-defender) +- Windows 10 +- Windows 11 -[Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture. +In Windows client, hardware and software work together to help protect you from new and emerging threats. Expanded security protections in Windows 11 help boost security from the chip, to the cloud. -**Applies to:** -- [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/) +## Windows threat protection -> [!TIP] -> Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](/enterprise-mobility-security/remote-work/). +See the following articles to learn more about the different areas of Windows threat protection: -

Microsoft Defender for Endpoint

- - - - - - - - - - - - - - - -
threat and vulnerability icon
Threat & vulnerability management
attack surface reduction icon
Attack surface reduction
next generation protection icon
Next-generation protection
endpoint detection and response icon
Endpoint detection and response
automated investigation and remediation icon
Automated investigation and remediation
microsoft threat experts icon
Microsoft Threat Experts
-
Centralized configuration and administration, APIs
Microsoft 365 Defender
-
- - - - ->[!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4obJq] - -**[Threat & vulnerability management](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt)**
-This built-in capability uses a game-changing risk-based approach to the discovery, prioritization, and remediation of endpoint vulnerabilities and misconfigurations. - -- [Threat & vulnerability management overview](/microsoft-365/security/defender-endpoint/next-gen-threat-and-vuln-mgt) -- [Get started](/microsoft-365/security/defender-endpoint/tvm-prerequisites) -- [Access your security posture](/microsoft-365/security/defender-endpoint/tvm-dashboard-insights) -- [Improve your security posture and reduce risk](/microsoft-365/security/defender-endpoint/tvm-security-recommendation) -- [Understand vulnerabilities on your devices](/microsoft-365/security/defender-endpoint/tvm-software-inventory) - - - -**[Attack surface reduction](/microsoft-365/security/defender-endpoint/overview-attack-surface-reduction)**
-The attack surface reduction set of capabilities provide the first line of defense in the stack. By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitation. - -- [Hardware based isolation](/microsoft-365/security/defender-endpoint/overview-hardware-based-isolation) -- [Application control](windows-defender-application-control/windows-defender-application-control.md) -- [Device control](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) +- [Microsoft Defender Application Guard](\windows\security\threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md) +- [Virtualization-based protection of code integrity](\windows\security\threat-protection\device-guard\enable-virtualization-based-protection-of-code-integrity.md) +- [Application control](/windows-defender-application-control/windows-defender-application-control.md) +- [Microsoft Defender Device Guard](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md) - [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection) - [Network protection](/microsoft-365/security/defender-endpoint/network-protection), [web protection](/microsoft-365/security/defender-endpoint/web-protection-overview) +- [Microsoft Defender SmartScreen](\windows\security\threat-protection\microsoft-defender-smartscreen\microsoft-defender-smartscreen-overview.md) - [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders) - [Network firewall](windows-firewall/windows-firewall-with-advanced-security.md) - [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) +- [Windows Sandbox](\windows\security\threat-protection\windows-sandbox\windows-sandbox-overview.md) - - -**[Next-generation protection](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10)**
-To further reinforce the security perimeter of your network, Microsoft Defender for Endpoint uses next-generation protection designed to catch all types of emerging threats. +### Next-generation protection +Next-generation protection is designed to identify and block new and emerging threats. Powered by the cloud and machine learning, Microsoft Defender Antivirus can help stop attacks in real-time. - [Behavior monitoring](/microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus) - [Cloud-based protection](/microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus) - [Machine learning](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus) - [URL Protection](/microsoft-365/security/defender-endpoint/configure-network-connections-microsoft-defender-antivirus) -- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) - - - -**[Endpoint detection and response](/microsoft-365/security/defender-endpoint/overview-endpoint-detection-response)**
-Endpoint detection and response capabilities are put in place to detect, investigate, and respond to intrusion attempts and active breaches. With Advanced hunting, you have a query-based threat-hunting tool that lets your proactively find breaches and create custom detections. - -- [Alerts](/microsoft-365/security/defender-endpoint/alerts-queue) -- [Historical endpoint data](/microsoft-365/security/defender-endpoint/investigate-machines#timeline) -- [Response orchestration](/microsoft-365/security/defender-endpoint/respond-machine-alerts) -- [Forensic collection](/microsoft-365/security/defender-endpoint/respond-machine-alerts#collect-investigation-package-from-devices) -- [Threat intelligence](/microsoft-365/security/defender-endpoint/threat-indicator-concepts) -- [Advanced detonation and analysis service](/microsoft-365/security/defender-endpoint/respond-file-alerts#deep-analysis) -- [Advanced hunting](/microsoft-365/security/defender-endpoint/advanced-hunting-overview) - - [Custom detections](/microsoft-365/security/defender-endpoint/overview-custom-detections) - - - -**[Automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations)**
-In addition to quickly responding to advanced attacks, Microsoft Defender for Endpoint offers automated investigation and remediation capabilities that help reduce the volume of alerts in minutes at scale. - -- [Get an overview of automated investigation and remediation](/microsoft-365/security/defender-endpoint/automated-investigations) -- [Learn about automation levels](/microsoft-365/security/defender-endpoint/automation-levels) -- [Configure automated investigation and remediation in Defender for Endpoint](/microsoft-365/security/defender-endpoint/configure-automated-investigations-remediation) -- [Visit the Action center to see remediation actions](/microsoft-365/security/defender-endpoint/auto-investigation-action-center) -- [Review remediation actions following an automated investigation](/microsoft-365/security/defender-endpoint/manage-auto-investigation) - - - -**[Microsoft Threat Experts](/microsoft-365/security/defender-endpoint/microsoft-threat-experts)**
-Microsoft Defender for Endpoint's new managed threat hunting service provides proactive hunting, prioritization, and additional context and insights. Microsoft Threat Experts further empowers Security Operation Centers (SOCs) to identify and respond to threats quickly and accurately. - -- [Targeted attack notification](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Experts-on-demand](/microsoft-365/security/defender-endpoint/microsoft-threat-experts) -- [Configure your Microsoft 365 Defender managed hunting service](/microsoft-365/security/defender-endpoint/configure-microsoft-threat-experts) - - - -**[Centralized configuration and administration, APIs](/microsoft-365/security/defender-endpoint/management-apis)**
-Integrate Microsoft Defender for Endpoint into your existing workflows. -- [Onboarding](/microsoft-365/security/defender-endpoint/onboard-configure) -- [API and SIEM integration](/microsoft-365/security/defender-endpoint/configure-siem) -- [Exposed APIs](/microsoft-365/security/defender-endpoint/apis-intro) -- [Role-based access control (RBAC)](/microsoft-365/security/defender-endpoint/rbac) -- [Reporting and trends](/microsoft-365/security/defender-endpoint/threat-protection-reports) - - -**[Integration with Microsoft solutions](/microsoft-365/security/defender-endpoint/threat-protection-integration)**
- Microsoft Defender for Endpoint directly integrates with various Microsoft solutions, including: -- Intune -- Microsoft Defender for Office 365 -- Microsoft Defender for Identity -- Azure Defender -- Skype for Business -- Microsoft Cloud App Security - - -**[Microsoft 365 Defender](/microsoft-365/security/mtp/microsoft-threat-protection)**
- With Microsoft 365 Defender, Microsoft Defender for Endpoint and various Microsoft security solutions form a unified pre- and post-breach enterprise defense suite that natively integrates across endpoint, identity, email, and applications to detect, prevent, investigate, and automatically respond to sophisticated attacks. \ No newline at end of file +- [Automated sandbox service](/microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus) \ No newline at end of file diff --git a/windows/security/threat-protection/intelligence/TOC.yml b/windows/security/threat-protection/intelligence/TOC.yml deleted file mode 100644 index 78fea4eba3..0000000000 --- a/windows/security/threat-protection/intelligence/TOC.yml +++ /dev/null @@ -1,60 +0,0 @@ -- name: Security intelligence - href: index.md - items: - - name: Understand malware & other threats - href: understanding-malware.md - items: - - name: Coin miners - href: coinminer-malware.md - - name: Exploits and exploit kits - href: exploits-malware.md - - name: Fileless threats - href: fileless-threats.md - - name: Macro malware - href: macro-malware.md - - name: Phishing attacks - href: phishing.md - items: - - name: Phishing trends and techniques - href: phishing-trends.md - - name: Ransomware - href: /security/compass/human-operated-ransomware - - name: Rootkits - href: rootkits-malware.md - - name: Supply chain attacks - href: supply-chain-malware.md - - name: Tech support scams - href: support-scams.md - - name: Trojans - href: trojans-malware.md - - name: Unwanted software - href: unwanted-software.md - - name: Worms - href: worms-malware.md - - name: Prevent malware infection - href: prevent-malware-infection.md - - name: Malware naming convention - href: malware-naming.md - - name: How Microsoft identifies malware and PUA - href: criteria.md - - name: Submit files for analysis - href: submission-guide.md - - name: Troubleshoot malware submission - href: portal-submission-troubleshooting.md - - name: Safety Scanner download - href: safety-scanner-download.md - - name: Industry collaboration programs - href: cybersecurity-industry-partners.md - items: - - name: Virus information alliance - href: virus-information-alliance-criteria.md - - name: Microsoft virus initiative - href: virus-initiative-criteria.md - - name: Coordinated malware eradication - href: coordinated-malware-eradication.md - - name: Information for developers - items: - - name: Software developer FAQ - href: developer-faq.yml - - name: Software developer resources - href: developer-resources.md diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md index 83a6f5e00b..a12edb4f83 100644 --- a/windows/security/threat-protection/mbsa-removal-and-guidance.md +++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md @@ -9,7 +9,7 @@ ms.author: dansimp author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: other --- # What is Microsoft Baseline Security Analyzer and its uses? diff --git a/windows/security/threat-protection/microsoft-bug-bounty-program.md b/windows/security/threat-protection/microsoft-bug-bounty-program.md new file mode 100644 index 0000000000..7dcc6cdd7f --- /dev/null +++ b/windows/security/threat-protection/microsoft-bug-bounty-program.md @@ -0,0 +1,22 @@ +--- +title: About the Microsoft Bug Bounty Program +description: If you are a security researcher, you can get a reward for reporting a vulnerability in a Microsoft product, service, or device. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# About the Microsoft Bug Bounty Program + +Are you a security researcher? Did you find a vulnerability in a Microsoft product, service, or device? If so, we want to hear from you! + +If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions. + +Visit the [Microsoft Bug Bounty Program site](https://www.microsoft.com/en-us/msrc/bounty?rtc=1) for all the details! \ No newline at end of file diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml index ee887e168a..e235cf65ec 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/TOC.yml @@ -3,13 +3,16 @@ items: - name: System requirements href: reqs-md-app-guard.md - - name: Install WDAG + - name: Install Application Guard href: install-md-app-guard.md - - name: Configure WDAG policies + - name: Configure Application Guard policies href: configure-md-app-guard.md - name: Test scenarios href: test-scenarios-md-app-guard.md - name: Microsoft Defender Application Guard Extension href: md-app-guard-browser-extension.md - - name: FAQ + - name: Application Guard FAQ href: faq-md-app-guard.yml +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml index 9ad53a26f5..c0d45b5bad 100644 --- a/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml +++ b/windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.yml @@ -9,7 +9,7 @@ metadata: ms.localizationpriority: medium author: denisebmsft ms.author: deniseb - ms.date: 07/23/2021 + ms.date: 09/29/2021 ms.reviewer: manager: dansimp ms.custom: asr @@ -217,6 +217,16 @@ sections: Policy: Allow installation of devices using drivers that match these device setup classes - `{71a27cdd-812a-11d0-bec7-08002be2092f}` + - question: | + I'm encountering TCP fragmentation issues, and cannot enable my VPN connection. How do I fix this? + answer: | + WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps: + + 1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`. + + 2. Reboot the device. + + additionalContent: | ## See also diff --git a/windows/security/threat-protection/msft-security-dev-lifecycle.md b/windows/security/threat-protection/msft-security-dev-lifecycle.md new file mode 100644 index 0000000000..c16994d574 --- /dev/null +++ b/windows/security/threat-protection/msft-security-dev-lifecycle.md @@ -0,0 +1,31 @@ +--- +title: Microsoft Security Development Lifecycle +description: Download the Microsoft Security Development Lifecycle white paper which covers a security assurance process focused on software development. +ms.prod: m365-security +audience: ITPro +author: dansimp +ms.author: dansimp +manager: dansimp +ms.collection: M365-identity-device-management +ms.topic: article +ms.localizationpriority: medium +ms.reviewer: +ms.technology: other +--- + +# Microsoft Security Development Lifecycle + +The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. As a Microsoft-wide initiative and a mandatory policy since 2004, the SDL has played a critical role in embedding security and privacy in software and culture at Microsoft. + +[:::image type="content" source="images/simplified-sdl.png" alt-text="Simplified secure development lifecycle":::](https://www.microsoft.com/en-us/securityengineering/sdl) + +Combining a holistic and practical approach, the SDL aims to reduce the number and severity of vulnerabilities in software. The SDL introduces security and privacy throughout all phases of the development process. + +The Microsoft SDL is based on three core concepts: +- Education +- Continuous process improvement +- Accountability + +To learn more about the SDL, visit the [Security Engineering site](https://www.microsoft.com/en-us/securityengineering/sdl). + +And, download the [Simplified Implementation of the Microsoft SDL whitepaper](https://go.microsoft.com/?linkid=9708425). \ No newline at end of file diff --git a/windows/security/threat-protection/security-policy-settings/TOC.yml b/windows/security/threat-protection/security-policy-settings/TOC.yml new file mode 100644 index 0000000000..1ddc477ef1 --- /dev/null +++ b/windows/security/threat-protection/security-policy-settings/TOC.yml @@ -0,0 +1,351 @@ + - name: Security policy settings + href: security-policy-settings.md + items: + - name: Administer security policy settings + href: administer-security-policy-settings.md + items: + - name: Network List Manager policies + href: network-list-manager-policies.md + - name: Configure security policy settings + href: how-to-configure-security-policy-settings.md + - name: Security policy settings reference + href: security-policy-settings-reference.md + items: + - name: Account Policies + href: account-policies.md + items: + - name: Password Policy + href: password-policy.md + items: + - name: Enforce password history + href: enforce-password-history.md + - name: Maximum password age + href: maximum-password-age.md + - name: Minimum password age + href: minimum-password-age.md + - name: Minimum password length + href: minimum-password-length.md + - name: Password must meet complexity requirements + href: password-must-meet-complexity-requirements.md + - name: Store passwords using reversible encryption + href: store-passwords-using-reversible-encryption.md + - name: Account Lockout Policy + href: account-lockout-policy.md + items: + - name: Account lockout duration + href: account-lockout-duration.md + - name: Account lockout threshold + href: account-lockout-threshold.md + - name: Reset account lockout counter after + href: reset-account-lockout-counter-after.md + - name: Kerberos Policy + href: kerberos-policy.md + items: + - name: Enforce user logon restrictions + href: enforce-user-logon-restrictions.md + - name: Maximum lifetime for service ticket + href: maximum-lifetime-for-service-ticket.md + - name: Maximum lifetime for user ticket + href: maximum-lifetime-for-user-ticket.md + - name: Maximum lifetime for user ticket renewal + href: maximum-lifetime-for-user-ticket-renewal.md + - name: Maximum tolerance for computer clock synchronization + href: maximum-tolerance-for-computer-clock-synchronization.md + - name: Audit Policy + href: audit-policy.md + - name: Security Options + href: security-options.md + items: + - name: "Accounts: Administrator account status" + href: accounts-administrator-account-status.md + - name: "Accounts: Block Microsoft accounts" + href: accounts-block-microsoft-accounts.md + - name: "Accounts: Guest account status" + href: accounts-guest-account-status.md + - name: "Accounts: Limit local account use of blank passwords to console logon only" + href: accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only.md + - name: "Accounts: Rename administrator account" + href: accounts-rename-administrator-account.md + - name: "Accounts: Rename guest account" + href: accounts-rename-guest-account.md + - name: "Audit: Audit the access of global system objects" + href: audit-audit-the-access-of-global-system-objects.md + - name: "Audit: Audit the use of Backup and Restore privilege" + href: audit-audit-the-use-of-backup-and-restore-privilege.md + - name: "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" + href: audit-force-audit-policy-subcategory-settings-to-override.md + - name: "Audit: Shut down system immediately if unable to log security audits" + href: audit-shut-down-system-immediately-if-unable-to-log-security-audits.md + - name: "DCOM: Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-access-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "DCOM: Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax" + href: dcom-machine-launch-restrictions-in-security-descriptor-definition-language-sddl-syntax.md + - name: "Devices: Allow undock without having to log on" + href: devices-allow-undock-without-having-to-log-on.md + - name: "Devices: Allowed to format and eject removable media" + href: devices-allowed-to-format-and-eject-removable-media.md + - name: "Devices: Prevent users from installing printer drivers" + href: devices-prevent-users-from-installing-printer-drivers.md + - name: "Devices: Restrict CD-ROM access to locally logged-on user only" + href: devices-restrict-cd-rom-access-to-locally-logged-on-user-only.md + - name: "Devices: Restrict floppy access to locally logged-on user only" + href: devices-restrict-floppy-access-to-locally-logged-on-user-only.md + - name: "Domain controller: Allow server operators to schedule tasks" + href: domain-controller-allow-server-operators-to-schedule-tasks.md + - name: "Domain controller: LDAP server signing requirements" + href: domain-controller-ldap-server-signing-requirements.md + - name: "Domain controller: Refuse machine account password changes" + href: domain-controller-refuse-machine-account-password-changes.md + - name: "Domain member: Digitally encrypt or sign secure channel data (always)" + href: domain-member-digitally-encrypt-or-sign-secure-channel-data-always.md + - name: "Domain member: Digitally encrypt secure channel data (when possible)" + href: domain-member-digitally-encrypt-secure-channel-data-when-possible.md + - name: "Domain member: Digitally sign secure channel data (when possible)" + href: domain-member-digitally-sign-secure-channel-data-when-possible.md + - name: "Domain member: Disable machine account password changes" + href: domain-member-disable-machine-account-password-changes.md + - name: "Domain member: Maximum machine account password age" + href: domain-member-maximum-machine-account-password-age.md + - name: "Domain member: Require strong (Windows 2000 or later) session key" + href: domain-member-require-strong-windows-2000-or-later-session-key.md + - name: "Interactive logon: Display user information when the session is locked" + href: interactive-logon-display-user-information-when-the-session-is-locked.md + - name: "Interactive logon: Don't display last signed-in" + href: interactive-logon-do-not-display-last-user-name.md + - name: "Interactive logon: Don't display username at sign-in" + href: interactive-logon-dont-display-username-at-sign-in.md + - name: "Interactive logon: Do not require CTRL+ALT+DEL" + href: interactive-logon-do-not-require-ctrl-alt-del.md + - name: "Interactive logon: Machine account lockout threshold" + href: interactive-logon-machine-account-lockout-threshold.md + - name: "Interactive logon: Machine inactivity limit" + href: interactive-logon-machine-inactivity-limit.md + - name: "Interactive logon: Message text for users attempting to log on" + href: interactive-logon-message-text-for-users-attempting-to-log-on.md + - name: "Interactive logon: Message title for users attempting to log on" + href: interactive-logon-message-title-for-users-attempting-to-log-on.md + - name: "Interactive logon: Number of previous logons to cache (in case domain controller is not available)" + href: interactive-logon-number-of-previous-logons-to-cache-in-case-domain-controller-is-not-available.md + - name: "Interactive logon: Prompt user to change password before expiration" + href: interactive-logon-prompt-user-to-change-password-before-expiration.md + - name: "Interactive logon: Require Domain Controller authentication to unlock workstation" + href: interactive-logon-require-domain-controller-authentication-to-unlock-workstation.md + - name: "Interactive logon: Require smart card" + href: interactive-logon-require-smart-card.md + - name: "Interactive logon: Smart card removal behavior" + href: interactive-logon-smart-card-removal-behavior.md + - name: "Microsoft network client: Digitally sign communications (always)" + href: microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (always)" + href: smbv1-microsoft-network-client-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network client: Digitally sign communications (if server agrees)" + href: smbv1-microsoft-network-client-digitally-sign-communications-if-server-agrees.md + - name: "Microsoft network client: Send unencrypted password to third-party SMB servers" + href: microsoft-network-client-send-unencrypted-password-to-third-party-smb-servers.md + - name: "Microsoft network server: Amount of idle time required before suspending session" + href: microsoft-network-server-amount-of-idle-time-required-before-suspending-session.md + - name: "Microsoft network server: Attempt S4U2Self to obtain claim information" + href: microsoft-network-server-attempt-s4u2self-to-obtain-claim-information.md + - name: "Microsoft network server: Digitally sign communications (always)" + href: microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (always)" + href: smbv1-microsoft-network-server-digitally-sign-communications-always.md + - name: "SMBv1 Microsoft network server: Digitally sign communications (if client agrees)" + href: smbv1-microsoft-network-server-digitally-sign-communications-if-client-agrees.md + - name: "Microsoft network server: Disconnect clients when logon hours expire" + href: microsoft-network-server-disconnect-clients-when-logon-hours-expire.md + - name: "Microsoft network server: Server SPN target name validation level" + href: microsoft-network-server-server-spn-target-name-validation-level.md + - name: "Network access: Allow anonymous SID/Name translation" + href: network-access-allow-anonymous-sidname-translation.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts.md + - name: "Network access: Do not allow anonymous enumeration of SAM accounts and shares" + href: network-access-do-not-allow-anonymous-enumeration-of-sam-accounts-and-shares.md + - name: "Network access: Do not allow storage of passwords and credentials for network authentication" + href: network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication.md + - name: "Network access: Let Everyone permissions apply to anonymous users" + href: network-access-let-everyone-permissions-apply-to-anonymous-users.md + - name: "Network access: Named Pipes that can be accessed anonymously" + href: network-access-named-pipes-that-can-be-accessed-anonymously.md + - name: "Network access: Remotely accessible registry paths" + href: network-access-remotely-accessible-registry-paths.md + - name: "Network access: Remotely accessible registry paths and subpaths" + href: network-access-remotely-accessible-registry-paths-and-subpaths.md + - name: "Network access: Restrict anonymous access to Named Pipes and Shares" + href: network-access-restrict-anonymous-access-to-named-pipes-and-shares.md + - name: "Network access: Restrict clients allowed to make remote calls to SAM" + href: network-access-restrict-clients-allowed-to-make-remote-sam-calls.md + - name: "Network access: Shares that can be accessed anonymously" + href: network-access-shares-that-can-be-accessed-anonymously.md + - name: "Network access: Sharing and security model for local accounts" + href: network-access-sharing-and-security-model-for-local-accounts.md + - name: "Network security: Allow Local System to use computer identity for NTLM" + href: network-security-allow-local-system-to-use-computer-identity-for-ntlm.md + - name: "Network security: Allow LocalSystem NULL session fallback" + href: network-security-allow-localsystem-null-session-fallback.md + - name: "Network security: Allow PKU2U authentication requests to this computer to use online identities" + href: network-security-allow-pku2u-authentication-requests-to-this-computer-to-use-online-identities.md + - name: "Network security: Configure encryption types allowed for Kerberos" + href: network-security-configure-encryption-types-allowed-for-kerberos.md + - name: "Network security: Do not store LAN Manager hash value on next password change" + href: network-security-do-not-store-lan-manager-hash-value-on-next-password-change.md + - name: "Network security: Force logoff when logon hours expire" + href: network-security-force-logoff-when-logon-hours-expire.md + - name: "Network security: LAN Manager authentication level" + href: network-security-lan-manager-authentication-level.md + - name: "Network security: LDAP client signing requirements" + href: network-security-ldap-client-signing-requirements.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-clients.md + - name: "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" + href: network-security-minimum-session-security-for-ntlm-ssp-based-including-secure-rpc-servers.md + - name: "Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication" + href: network-security-restrict-ntlm-add-remote-server-exceptions-for-ntlm-authentication.md + - name: "Network security: Restrict NTLM: Add server exceptions in this domain" + href: network-security-restrict-ntlm-add-server-exceptions-in-this-domain.md + - name: "Network security: Restrict NTLM: Audit incoming NTLM traffic" + href: network-security-restrict-ntlm-audit-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: Audit NTLM authentication in this domain" + href: network-security-restrict-ntlm-audit-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Incoming NTLM traffic" + href: network-security-restrict-ntlm-incoming-ntlm-traffic.md + - name: "Network security: Restrict NTLM: NTLM authentication in this domain" + href: network-security-restrict-ntlm-ntlm-authentication-in-this-domain.md + - name: "Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers" + href: network-security-restrict-ntlm-outgoing-ntlm-traffic-to-remote-servers.md + - name: "Recovery console: Allow automatic administrative logon" + href: recovery-console-allow-automatic-administrative-logon.md + - name: "Recovery console: Allow floppy copy and access to all drives and folders" + href: recovery-console-allow-floppy-copy-and-access-to-all-drives-and-folders.md + - name: "Shutdown: Allow system to be shut down without having to log on" + href: shutdown-allow-system-to-be-shut-down-without-having-to-log-on.md + - name: "Shutdown: Clear virtual memory pagefile" + href: shutdown-clear-virtual-memory-pagefile.md + - name: "System cryptography: Force strong key protection for user keys stored on the computer" + href: system-cryptography-force-strong-key-protection-for-user-keys-stored-on-the-computer.md + - name: "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" + href: system-cryptography-use-fips-compliant-algorithms-for-encryption-hashing-and-signing.md + - name: "System objects: Require case insensitivity for non-Windows subsystems" + href: system-objects-require-case-insensitivity-for-non-windows-subsystems.md + - name: "System objects: Strengthen default permissions of internal system objects (Symbolic Links)" + href: system-objects-strengthen-default-permissions-of-internal-system-objects.md + - name: "System settings: Optional subsystems" + href: system-settings-optional-subsystems.md + - name: "System settings: Use certificate rules on Windows executables for Software Restriction Policies" + href: system-settings-use-certificate-rules-on-windows-executables-for-software-restriction-policies.md + - name: "User Account Control: Admin Approval Mode for the Built-in Administrator account" + href: user-account-control-admin-approval-mode-for-the-built-in-administrator-account.md + - name: "User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop" + href: user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop.md + - name: "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" + href: user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode.md + - name: "User Account Control: Behavior of the elevation prompt for standard users" + href: user-account-control-behavior-of-the-elevation-prompt-for-standard-users.md + - name: "User Account Control: Detect application installations and prompt for elevation" + href: user-account-control-detect-application-installations-and-prompt-for-elevation.md + - name: "User Account Control: Only elevate executables that are signed and validated" + href: user-account-control-only-elevate-executables-that-are-signed-and-validated.md + - name: "User Account Control: Only elevate UIAccess applications that are installed in secure locations" + href: user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations.md + - name: "User Account Control: Run all administrators in Admin Approval Mode" + href: user-account-control-run-all-administrators-in-admin-approval-mode.md + - name: "User Account Control: Switch to the secure desktop when prompting for elevation" + href: user-account-control-switch-to-the-secure-desktop-when-prompting-for-elevation.md + - name: "User Account Control: Virtualize file and registry write failures to per-user locations" + href: user-account-control-virtualize-file-and-registry-write-failures-to-per-user-locations.md + - name: Advanced security audit policy settings + href: secpol-advanced-security-audit-policy-settings.md + - name: User Rights Assignment + href: user-rights-assignment.md + items: + - name: Access Credential Manager as a trusted caller + href: access-credential-manager-as-a-trusted-caller.md + - name: Access this computer from the network + href: access-this-computer-from-the-network.md + - name: Act as part of the operating system + href: act-as-part-of-the-operating-system.md + - name: Add workstations to domain + href: add-workstations-to-domain.md + - name: Adjust memory quotas for a process + href: adjust-memory-quotas-for-a-process.md + - name: Allow log on locally + href: allow-log-on-locally.md + - name: Allow log on through Remote Desktop Services + href: allow-log-on-through-remote-desktop-services.md + - name: Back up files and directories + href: back-up-files-and-directories.md + - name: Bypass traverse checking + href: bypass-traverse-checking.md + - name: Change the system time + href: change-the-system-time.md + - name: Change the time zone + href: change-the-time-zone.md + - name: Create a pagefile + href: create-a-pagefile.md + - name: Create a token object + href: create-a-token-object.md + - name: Create global objects + href: create-global-objects.md + - name: Create permanent shared objects + href: create-permanent-shared-objects.md + - name: Create symbolic links + href: create-symbolic-links.md + - name: Debug programs + href: debug-programs.md + - name: Deny access to this computer from the network + href: deny-access-to-this-computer-from-the-network.md + - name: Deny log on as a batch job + href: deny-log-on-as-a-batch-job.md + - name: Deny log on as a service + href: deny-log-on-as-a-service.md + - name: Deny log on locally + href: deny-log-on-locally.md + - name: Deny log on through Remote Desktop Services + href: deny-log-on-through-remote-desktop-services.md + - name: Enable computer and user accounts to be trusted for delegation + href: enable-computer-and-user-accounts-to-be-trusted-for-delegation.md + - name: Force shutdown from a remote system + href: force-shutdown-from-a-remote-system.md + - name: Generate security audits + href: generate-security-audits.md + - name: Impersonate a client after authentication + href: impersonate-a-client-after-authentication.md + - name: Increase a process working set + href: increase-a-process-working-set.md + - name: Increase scheduling priority + href: increase-scheduling-priority.md + - name: Load and unload device drivers + href: load-and-unload-device-drivers.md + - name: Lock pages in memory + href: lock-pages-in-memory.md + - name: Log on as a batch job + href: log-on-as-a-batch-job.md + - name: Log on as a service + href: log-on-as-a-service.md + - name: Manage auditing and security log + href: manage-auditing-and-security-log.md + - name: Modify an object label + href: modify-an-object-label.md + - name: Modify firmware environment values + href: modify-firmware-environment-values.md + - name: Perform volume maintenance tasks + href: perform-volume-maintenance-tasks.md + - name: Profile single process + href: profile-single-process.md + - name: Profile system performance + href: profile-system-performance.md + - name: Remove computer from docking station + href: remove-computer-from-docking-station.md + - name: Replace a process level token + href: replace-a-process-level-token.md + - name: Restore files and directories + href: restore-files-and-directories.md + - name: Shut down the system + href: shut-down-the-system.md + - name: Synchronize directory service data + href: synchronize-directory-service-data.md + - name: Take ownership of files or other objects + href: take-ownership-of-files-or-other-objects.md + - name: Windows security + href: /windows/security/ \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md index 9c23deaecd..1fd7837df9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md +++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows 11 >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices. diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/TOC.yml index 2a9d13497a..6e2bbdd64b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/TOC.yml +++ b/windows/security/threat-protection/windows-defender-application-control/TOC.yml @@ -1,5 +1,8 @@ - name: Application Control for Windows + href: index.yml +- name: About application control for Windows href: windows-defender-application-control.md + expanded: true items: - name: WDAC and AppLocker Overview href: wdac-and-applocker-overview.md @@ -292,3 +295,6 @@ href: applocker\using-event-viewer-with-applocker.md - name: AppLocker Settings href: applocker\applocker-settings.md +- name: Windows security + href: /windows/security/ + diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md index 5d98c29cbb..f200b445bc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and later > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml deleted file mode 100644 index b796c0e95e..0000000000 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.yml +++ /dev/null @@ -1,186 +0,0 @@ -- name: AppLocker - href: applocker-overview.md - items: - - name: Administer AppLocker - href: administer-applocker.md - items: - - name: Maintain AppLocker policies - href: maintain-applocker-policies.md - - name: Edit an AppLocker policy - href: edit-an-applocker-policy.md - - name: Test and update an AppLocker policy - href: test-and-update-an-applocker-policy.md - - name: Deploy AppLocker policies by using the enforce rules setting - href: deploy-applocker-policies-by-using-the-enforce-rules-setting.md - - name: Use the AppLocker Windows PowerShell cmdlets - href: use-the-applocker-windows-powershell-cmdlets.md - - name: Use AppLocker and Software Restriction Policies in the same domain - href: use-applocker-and-software-restriction-policies-in-the-same-domain.md - - name: Optimize AppLocker performance - href: optimize-applocker-performance.md - - name: Monitor app usage with AppLocker - href: monitor-application-usage-with-applocker.md - - name: Manage packaged apps with AppLocker - href: manage-packaged-apps-with-applocker.md - - name: Working with AppLocker rules - href: working-with-applocker-rules.md - items: - - name: Create a rule that uses a file hash condition - href: create-a-rule-that-uses-a-file-hash-condition.md - - name: Create a rule that uses a path condition - href: create-a-rule-that-uses-a-path-condition.md - - name: Create a rule that uses a publisher condition - href: create-a-rule-that-uses-a-publisher-condition.md - - name: Create AppLocker default rules - href: create-applocker-default-rules.md - - name: Add exceptions for an AppLocker rule - href: configure-exceptions-for-an-applocker-rule.md - - name: Create a rule for packaged apps - href: create-a-rule-for-packaged-apps.md - - name: Delete an AppLocker rule - href: delete-an-applocker-rule.md - - name: Edit AppLocker rules - href: edit-applocker-rules.md - - name: Enable the DLL rule collection - href: enable-the-dll-rule-collection.md - - name: Enforce AppLocker rules - href: enforce-applocker-rules.md - - name: Run the Automatically Generate Rules wizard - href: run-the-automatically-generate-rules-wizard.md - - name: Working with AppLocker policies - href: working-with-applocker-policies.md - items: - - name: Configure the Application Identity service - href: configure-the-application-identity-service.md - - name: Configure an AppLocker policy for audit only - href: configure-an-applocker-policy-for-audit-only.md - - name: Configure an AppLocker policy for enforce rules - href: configure-an-applocker-policy-for-enforce-rules.md - - name: Display a custom URL message when users try to run a blocked app - href: display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md - - name: Export an AppLocker policy from a GPO - href: export-an-applocker-policy-from-a-gpo.md - - name: Export an AppLocker policy to an XML file - href: export-an-applocker-policy-to-an-xml-file.md - - name: Import an AppLocker policy from another computer - href: import-an-applocker-policy-from-another-computer.md - - name: Import an AppLocker policy into a GPO - href: import-an-applocker-policy-into-a-gpo.md - - name: Add rules for packaged apps to existing AppLocker rule-set - href: add-rules-for-packaged-apps-to-existing-applocker-rule-set.md - - name: Merge AppLocker policies by using Set-ApplockerPolicy - href: merge-applocker-policies-by-using-set-applockerpolicy.md - - name: Merge AppLocker policies manually - href: merge-applocker-policies-manually.md - - name: Refresh an AppLocker policy - href: refresh-an-applocker-policy.md - - name: Test an AppLocker policy by using Test-AppLockerPolicy - href: test-an-applocker-policy-by-using-test-applockerpolicy.md - - name: AppLocker design guide - href: applocker-policies-design-guide.md - items: - - name: Understand AppLocker policy design decisions - href: understand-applocker-policy-design-decisions.md - - name: Determine your application control objectives - href: determine-your-application-control-objectives.md - - name: Create a list of apps deployed to each business group - href: create-list-of-applications-deployed-to-each-business-group.md - items: - - name: Document your app list - href: document-your-application-list.md - - name: Select the types of rules to create - href: select-types-of-rules-to-create.md - items: - - name: Document your AppLocker rules - href: document-your-applocker-rules.md - - name: Determine the Group Policy structure and rule enforcement - href: determine-group-policy-structure-and-rule-enforcement.md - items: - - name: Understand AppLocker enforcement settings - href: understand-applocker-enforcement-settings.md - - name: Understand AppLocker rules and enforcement setting inheritance in Group Policy - href: understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md - - name: Document the Group Policy structure and AppLocker rule enforcement - href: document-group-policy-structure-and-applocker-rule-enforcement.md - - name: Plan for AppLocker policy management - href: plan-for-applocker-policy-management.md - - name: AppLocker deployment guide - href: applocker-policies-deployment-guide.md - items: - - name: Understand the AppLocker policy deployment process - href: understand-the-applocker-policy-deployment-process.md - - name: Requirements for Deploying AppLocker Policies - href: requirements-for-deploying-applocker-policies.md - - name: Use Software Restriction Policies and AppLocker policies - href: using-software-restriction-policies-and-applocker-policies.md - - name: Create Your AppLocker policies - href: create-your-applocker-policies.md - items: - - name: Create Your AppLocker rules - href: create-your-applocker-rules.md - - name: Deploy the AppLocker policy into production - href: deploy-the-applocker-policy-into-production.md - items: - - name: Use a reference device to create and maintain AppLocker policies - href: use-a-reference-computer-to-create-and-maintain-applocker-policies.md - - name: Determine which apps are digitally signed on a reference device - href: determine-which-applications-are-digitally-signed-on-a-reference-computer.md - - name: Configure the AppLocker reference device - href: configure-the-appLocker-reference-device.md - - name: AppLocker technical reference - href: applocker-technical-reference.md - items: - - name: What Is AppLocker? - href: what-is-applocker.md - - name: Requirements to use AppLocker - href: requirements-to-use-applocker.md - - name: AppLocker policy use scenarios - href: applocker-policy-use-scenarios.md - - name: How AppLocker works - href: how-applocker-works-techref.md - items: - - name: Understanding AppLocker rule behavior - href: understanding-applocker-rule-behavior.md - - name: Understanding AppLocker rule exceptions - href: understanding-applocker-rule-exceptions.md - - name: Understanding AppLocker rule collections - href: understanding-applocker-rule-collections.md - - name: Understanding AppLocker allow and deny actions on rules - href: understanding-applocker-allow-and-deny-actions-on-rules.md - - name: Understanding AppLocker rule condition types - href: understanding-applocker-rule-condition-types.md - items: - - name: Understanding the publisher rule condition in AppLocker - href: understanding-the-publisher-rule-condition-in-applocker.md - - name: Understanding the path rule condition in AppLocker - href: understanding-the-path-rule-condition-in-applocker.md - - name: Understanding the file hash rule condition in AppLocker - href: understanding-the-file-hash-rule-condition-in-applocker.md - - name: Understanding AppLocker default rules - href: understanding-applocker-default-rules.md - items: - - name: Executable rules in AppLocker - href: executable-rules-in-applocker.md - - name: Windows Installer rules in AppLocker - href: windows-installer-rules-in-applocker.md - - name: Script rules in AppLocker - href: script-rules-in-applocker.md - - name: DLL rules in AppLocker - href: dll-rules-in-applocker.md - - name: Packaged apps and packaged app installer rules in AppLocker - href: packaged-apps-and-packaged-app-installer-rules-in-applocker.md - - name: AppLocker architecture and components - href: applocker-architecture-and-components.md - - name: AppLocker processes and interactions - href: applocker-processes-and-interactions.md - - name: AppLocker functions - href: applocker-functions.md - - name: Security considerations for AppLocker - href: security-considerations-for-applocker.md - - name: Tools to Use with AppLocker - href: tools-to-use-with-applocker.md - items: - - name: Using Event Viewer with AppLocker - href: using-event-viewer-with-applocker.md - - name: AppLocker Settings - href: applocker-settings.md diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md index 9036f3e4c1..727135ff89 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to update your existing AppLocker policies for packaged apps using the Remote Server Administration Toolkit (RSAT). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md index 7f2698f4c6..9838e069b1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to specific procedures to use when administering AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md index 44cb55c39e..f11b29225e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes AppLocker’s basic architecture and its major components. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md index c6b0e3ecf4..a095a49531 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for the IT professional lists the functions and security levels for the Software Restriction Policies (SRP) and AppLocker features. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md index 93a162dc9a..45cbf5c074 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic provides a description of AppLocker and can help you decide if your organization can benefit from deploying AppLocker application control policies. AppLocker helps you control which apps and files users can run. These include executable files, scripts, Windows Installer files, dynamic-link libraries (DLLs), packaged apps, and packaged app installers. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md index 86a8829b86..d5c03fc57e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals introduces the concepts and describes the steps required to deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md index a7d286ac77..d0df809923 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional introduces the design and planning steps required to deploy application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md index 9afaf76dd4..1314f32db2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the various application control scenarios in which AppLocker policies can be effectively implemented. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md index 72c593b20b..ccb2db435b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the process dependencies and interactions when AppLocker evaluates and enforces rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md index e6ffbc2ba9..504b6ddc8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the settings used by AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md index 49e952d360..72e525eb33 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for IT professionals provides links to the topics in the technical reference. AppLocker advances the application control features and functionality of Software Restriction Policies. AppLocker contains new capabilities and extensions that allow you to create rules to allow or deny apps from running based on unique identities of files and to specify which users or groups can run those apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md index 44e68d79c2..0c75f461a6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to set AppLocker policies to **Audit only** within your IT environment by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md index e59657993f..411f862d54 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the AppLocker policy enforcement setting. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md index a018cafadb..f349cab5c6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to specify which apps can or cannot run as exceptions to an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md index e836660931..1f654436af 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create an AppLocker policy platform structure on a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md index 0501a133b2..37736b98e8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to configure the Application Identity service to start automatically or manually. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md index eecd667d2b..6a921a1a9f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals shows how to create an AppLocker rule for packaged apps with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md index 141694e9b1..ae414198e7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a file hash condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md index 3efd61d7e9..305a8f1f28 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a path condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md index 8554f3c9f2..e54c7be041 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals shows how to create an AppLocker rule with a publisher condition. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md index 1b41d7d17d..7d5cb87442 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to create a standard set of AppLocker rules that will allow Windows system files to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md index 61d80caa45..ca15623e30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md index a4dd6d3cbb..3a1109a239 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic for the IT professional describes the steps to create an AppLocker policy and prepare it for deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md index 49afa8e599..bbf2bbc5f2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what you need to know about AppLocker rules and the methods that you can to create rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md index d99290ca20..a76438913f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article for IT professionals describes the steps to delete an AppLocker rule. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md index 4eacf25176..bd37f7dbd6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to deploy AppLocker policies by using the enforcement setting method. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md index 1cef053c49..801357a512 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tasks that should be completed before you deploy AppLocker application control settings. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md index 4e97c71abe..56fabec7f0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This overview topic describes the process to follow when you are planning to deploy AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md index cd61c3ae04..0f79249eb4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use AppLocker logs and tools to determine which applications are digitally signed. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md index 90e037220c..f1a3d2fdb0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md index 0337e87f46..33e52bdb43 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps for displaying a customized message to users when an AppLocker policy denies access to an app. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md index f547e9a47c..90d0e55f8b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the DLL rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md index 94b76c08b1..28c6e63bf2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes what you need to investigate, determine, and record in your application control policies plan when you use AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md index abace52005..19976bf113 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning topic describes the app information that you should document when you create a list of apps for AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md index 61e0ea6cd7..d456dd6197 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes what AppLocker rule conditions to associate with each file, how to associate these rule conditions, the source of the rule, and whether the file should be included or excluded. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md index d9503e8a00..d3e0de4082 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps required to modify an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md index ae57316f95..4a6c308d6c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to edit a publisher rule, path rule, and file hash rule in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md index a7127c01e3..a4fda0421a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to enable the DLL rule collection feature for AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md index d5af5704b4..d5979bfac8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to enforce application control rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md index 4a08f289bb..6737670f69 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the executable rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md index 6a31ee8659..8069b0c488 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy from a Group Policy Object (GPO) so that it can be modified. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md index b31a06093c..13a340752a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to export an AppLocker policy to an XML file for review or testing. Membership in the local **Administrators** group, or equivalent, is the minimum required to complete this procedure. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md index a69c492e7b..f2f21ec59a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional provides links to topics about AppLocker architecture and components, processes and interactions, rules and policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md index ee2571025c..2ca831ad61 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to import an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md index a1f2c8e829..ea0d11ab6b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to import an AppLocker policy into a Group Policy Object (GPO). AppLocker policies can be created as local security policies and modified like any other local security policy, or they can be created as part of a GPO and managed by using Group Policy. You can create AppLocker policies on any supported computer. For info about which Windows editions are supported, see [Requirements to Use AppLocker](requirements-to-use-applocker.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md index 495e5578cb..fbd1e8bf5b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md @@ -26,7 +26,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to maintain rules within AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md index 963ec6547b..fb2455652e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md index 1034d8e194..a054a02bd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to merge AppLocker policies by using Windows PowerShell. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md index c6beb49771..8e26890ee4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to manually merge AppLocker policies to update the Group Policy Object (GPO). diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md index 15bd4e6197..80d37a8614 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to monitor app usage when AppLocker policies are applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md index 15357f0a4c..bda74906e4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how to optimize AppLocker policy enforcement. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md index 7cd27ec5a6..ca8932c6f8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker rule collection for packaged app installers and packaged apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md index 5a2aab5ef9..58c2a7e1aa 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md index c306fa8809..82a4c1e458 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to force an update for an AppLocker policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md index 3d09d68ef3..229cfda610 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This deployment topic for the IT professional lists the requirements that you need to consider before you deploy AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md index 63b249672d..3c707b81d5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists software requirements to use AppLocker on the supported Windows operating systems. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md index 4c9ff4b21a..f17c70b80d 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes steps to run the wizard to create AppLocker rules on a reference device. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md index 4b4ca99f66..9076c55024 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the script rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md index 006efd19a1..975f550c4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the security considerations you need to address when implementing AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md index 9dedd807d1..d550e452bd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists resources you can use when selecting your application control policy rules by using AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md index ca0dc2f8e4..d75ba70771 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes the steps to test an AppLocker policy prior to importing it into a Group Policy Object (GPO) or another computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md index 3a42a9d7aa..389120fbf6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic discusses the steps required to test an AppLocker policy prior to deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md index 19eb7cd1d3..a2e61460e0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the tools available to create and administer AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md index 7058ee0c64..e675fb2869 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the AppLocker enforcement settings for rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md index ccdfd461a6..423a4d1362 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using AppLocker within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md index 5803246cf1..92387a5fd9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how application control policies configured in AppLocker are applied through Group Policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md index 23383522f6..799df0904c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This planning and deployment topic for the IT professional describes the process for using AppLocker when deploying application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md index 319498a599..73277f9b7e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the differences between allow and deny actions on AppLocker rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md index 7a33f4dde5..5bf6447ed9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professional describes the set of rules that can be used to ensure that required Windows system files are allowed to run when the policy is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md index 92f40c3d8c..cace268255 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how AppLocker rules are enforced by using the allow and deny options in AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md index e8cf87080b..70106f07bf 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the five different types of AppLocker rules used to enforce AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md index 80ce31b642..5e0876bc46 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the three types of AppLocker rule conditions. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md index c4cf8ac3ea..a83a41aef9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the result of applying AppLocker rule exceptions to rule collections. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md index 1bb2c999af..62751a55dd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker file hash rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md index e8856ed8ee..365ad545e5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker path rule condition, the advantages and disadvantages, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md index 8dade37801..6c68cb3be5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic explains the AppLocker publisher rule condition, what controls are available, and how it is applied. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md index a283a7ab4f..9a97cd9a36 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes the steps to create and maintain AppLocker policies by using a reference computer. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md index 6dcd91c001..41241819f1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md index ce28a56e21..a27af3c553 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes how each AppLocker Windows PowerShell cmdlet can help you administer your AppLocker application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md index 3015885de1..d0a93e2296 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic lists AppLocker events and describes how to use Event Viewer with AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md index 79b2485918..142eeb4cf9 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes how to use Software Restriction Policies (SRP) and AppLocker policies in the same Windows deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md index b65a70c0fe..2bb5d4a07b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for the IT professional describes what AppLocker is and how its features differ from Software Restriction Policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md index 0975dd70c7..c5a2d513e3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes the file formats and available default rules for the Windows Installer rule collection. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md index e4c6caae70..6e13cbce6e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals provides links to procedural topics about creating, maintaining, and testing AppLocker policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md index 74ce2ea9d8..f05e000e74 100644 --- a/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md @@ -25,7 +25,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic for IT professionals describes AppLocker rule types and how to work with them for your application control policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md index 671bd29bf1..62270b6e8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md index 706f2e6d6a..0ca71721d8 100644 --- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included. diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md index de7ad4786a..60c185ab34 100644 --- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md +++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2019 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). ## Using fsutil to query SmartLocker EA diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md index 761ea31822..7f12604edc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md index 40ab4ad3bd..4d96dd5039 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md index 0037968837..ae19d1e80f 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access. diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md index 76199f55b5..98d4991e37 100644 --- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md index bdb0bb25f6..fbe13edbe5 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md index 9ea7cc663a..96abd74691 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios: diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md index dea3b62b33..8482f5f1c0 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). > [!NOTE] > Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment. diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md index 29fbbe9431..7b44dba695 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md +++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md index 3dcca008bc..b8900a28dc 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-memcm.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). You can use Microsoft Endpoint Configuration Manager (MEMCM) to configure Windows Defender Application Control (WDAC) on client machines. diff --git a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md index 2212ae92fb..67dadf4ccd 100644 --- a/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md +++ b/windows/security/threat-protection/windows-defender-application-control/deployment/deploy-wdac-policies-with-script.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic describes how to deploy Windows Defender Application Control (WDAC) policies using script. The instructions below use PowerShell but can work with any scripting host. diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md index ad706276ac..bff322daff 100644 --- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers how to disable unsigned or signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md index 5dd1fd73f9..685ffd83a1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode. diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md index 4e249a4f50..b12655562e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service. diff --git a/windows/security/threat-protection/windows-defender-application-control/index.yml b/windows/security/threat-protection/windows-defender-application-control/index.yml new file mode 100644 index 0000000000..ef5892459f --- /dev/null +++ b/windows/security/threat-protection/windows-defender-application-control/index.yml @@ -0,0 +1,117 @@ +### YamlMime:Landing + +title: Application Control for Windows +metadata: + title: Application Control for Windows + description: Landing page for Windows Defender Application Control +# services: service +# ms.service: microsoft-WDAC-AppLocker +# ms.subservice: Application-Control +# ms.topic: landing-page +# author: Kim Klein +# ms.author: Jordan Geurten +# manager: Jeffrey Sutherland +# ms.update: 04/30/2021 +# linkListType: overview | how-to-guide | tutorial | video +landingContent: +# Cards and links should be based on top customer tasks or top subjects +# Start card title with a verb + # Card + - title: Learn about Application Control + linkLists: + - linkListType: overview + links: + - text: What is Windows Defender Application Control (WDAC)? + url: wdac-and-applocker-overview.md + - text: What is AppLocker? + url: applocker\applocker-overview.md + - text: WDAC and AppLocker feature availability + url: feature-availability.md + # Card + - title: Learn about Policy Design + linkLists: + - linkListType: overview + links: + - text: Using code signing to simplify application control + url: use-code-signing-to-simplify-application-control-for-classic-windows-applications.md + - text: Microsoft's Recommended Blocklist + url: microsoft-recommended-block-rules.md + - text: Microsoft's Recommended Driver Blocklist + url: microsoft-recommended-driver-block-rules.md + - text: Example WDAC policies + url: example-wdac-base-policies.md + - text: LOB Win32 apps on S Mode + url: LOB-win32-apps-on-s.md + - text: Managing multiple policies + url: deploy-multiple-windows-defender-application-control-policies.md + - linkListType: how-to-guide + links: + - text: Create a WDAC policy for a lightly managed device + url: create-wdac-policy-for-lightly-managed-devices.md + - text: Create a WDAC policy for a fully managed device + url: create-wdac-policy-for-fully-managed-devices.md + - text: Create a WDAC policy for a fixed-workload + url: create-initial-default-policy.md + - text: Deploying catalog files for WDAC management + url: deploy-catalog-files-to-support-windows-defender-application-control.md + - text: Using the WDAC Wizard + url: wdac-wizard.md + #- linkListType: Tutorial (videos) + # links: + # - text: Using the WDAC Wizard + # url: video md + # - text: Specifying custom values + # url: video md + # Card + - title: Learn about Policy Configuration + linkLists: + - linkListType: overview + links: + - text: Understanding policy and file rules + url: select-types-of-rules-to-create.md + - linkListType: how-to-guide + links: + - text: Allow managed installer and configure managed installer rules + url: configure-authorized-apps-deployed-with-a-managed-installer.md + - text: Allow reputable apps with ISG + url: use-windows-defender-application-control-with-intelligent-security-graph.md + - text: Managed MSIX and Appx Packaged Apps + url: manage-packaged-apps-with-windows-defender-application-control.md + - text: Allow com object registration + url: allow-com-object-registration-in-windows-defender-application-control-policy.md + - text: Manage plug-ins, add-ins and modules + url: use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md + # Card + - title: Learn how to deploy WDAC Policies + linkLists: + - linkListType: overview + links: + - text: Using signed policies to protect against tampering + url: use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md + - text: Audit and enforce policies + url: audit-and-enforce-windows-defender-application-control-policies.md + - text: Disabling WDAC policies + url: disable-windows-defender-application-control-policies.md + - linkListType: tutorial + links: + - text: Deployment with MDM + url: deploy-windows-defender-application-control-policies-using-intune.md + - text: Deployment with MEMCM + url: deployment/deploy-wdac-policies-with-memcm.md + - text: Deployment with script and refresh policy + url: deployment/deploy-wdac-policies-with-script.md + - text: Deployment with Group Policy + url: deploy-windows-defender-application-control-policies-using-group-policy.md + # Card + - title: Learn how to monitor WDAC events + linkLists: + - linkListType: overview + links: + - text: Understanding event IDs + url: event-id-explanations.md + - text: Understanding event Tags + url: event-tag-explanations.md + - linkListType: how-to-guide + links: + - text: Querying events using advanced hunting + url: querying-application-control-events-centrally-using-advanced-hunting.md \ No newline at end of file diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md index 2d0ccf9451..5939c67fde 100644 --- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy. diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md index f2561cb90c..1c0bf07bd4 100644 --- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md +++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md @@ -25,7 +25,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md index d9e8974465..53d81d3ab1 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md @@ -27,7 +27,7 @@ ms.date: 08/23/2021 - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Members of the security community* continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md index 56ff102873..21119863f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md +++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md @@ -26,7 +26,7 @@ ms.date: - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices: diff --git a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md index 3cd76bde2b..015e6b6e50 100644 --- a/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md +++ b/windows/security/threat-protection/windows-defender-application-control/operations/known-issues.md @@ -26,7 +26,7 @@ ms.localizationpriority: medium - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](/windows/security/threat-protection/windows-defender-application-control/feature-availability). This topic covers tips and tricks for admins as well as known issues with WDAC. Test this configuration in your lab before enabling it in production. diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md index 0c319af7e6..bff9aace8e 100644 --- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md +++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 403aab58d8..69855b69b3 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above >[!NOTE] ->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted. diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md index a4f3db57bd..024f7881f7 100644 --- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md +++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described. diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md index ce15020a22..e0abed5fef 100644 --- a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md +++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic is for the IT professional and lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md index dae8561c9b..392ab9a072 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This topic covers guidelines for using code signing control classic Windows apps. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md index 73f07b3405..79b9e0a33c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You can sign code integrity policies with the Device Guard signing portal to prevent them from being tampered with after they're deployed. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md index 11d3f0df1e..e2da88bed6 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Signed WDAC policies give organizations the highest level of malware protection available in Windows. In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. These policies are designed to prevent administrative tampering and kernel mode exploit access. With this in mind, it is much more difficult to remove signed WDAC policies. Note that SecureBoot must be enabled in order to restrict users from updating or removing signed WDAC policies. diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md index 22a1c3c03a..5ce6dec509 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser): diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md index 22c3b5e232..d1f5ea9591 100644 --- a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md +++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-intelligent-security-graph.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Application control can be difficult to implement in organizations that don't deploy and manage applications through an IT-managed system. In such environments, users can acquire the applications they want to use for work, making it hard to build an effective application control policy. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md index e8557445d0..37d3a19f84 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-and-applocker-overview.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Windows 10 and Windows 11 include two technologies that can be used for application control, depending on your organization's specific scenarios and requirements: Windows Defender Application Control (WDAC) and AppLocker. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md index b0f068d8b7..eb2d098d4b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). When creating policies for use with Windows Defender Application Control (WDAC), it is recommended to start with a template policy and then add or remove rules to suit your application control scenario. For this reason, the WDAC Wizard offers three template policies to start from and customize during the base policy creation workflow. Prerequisite information about application control can be accessed through the [WDAC design guide](windows-defender-application-control-design-guide.md). This page outlines the steps to create a new application control policy from a template, configure the policy options, and the signer and file rules. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md index f11d86f9a7..71046d7308 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). Beginning in Windows 10 version 1903, WDAC supports the creation of multiple active policies on a device. One or more supplemental policies allow customers to expand a [WDAC base policy](wdac-wizard-create-base-policy.md) to increase the circle of trust of the policy. A supplemental policy can expand only one base policy, but multiple supplementals can expand the same base policy. When using supplemental policies, applications allowed by the base or its supplemental policy/policies will be allowed to execute. diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md index d696659c2a..754f399a47 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShell cmdlets or manually. The Wizard currently supports the following editing capabilities:
    diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md index 4cdeb72f21..3143fd1d5c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md +++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). The Windows Defender Application Control (WDAC) policy Wizard is an open-source Windows desktop application written in C# and bundled as an MSIX package. The Wizard was built to provide security architects with security, and system administrators with a more user-friendly means to create, edit, and merge WDAC policies. The Wizard desktop application uses the [ConfigCI PowerShell Cmdlets](/powershell/module/configci) in the backend so the output policy of the Wizard and PowerShell cmdlets is identical. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md index 40512b4dda..b3d650b5e2 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). You should now have one or more WDAC policies ready to deploy. If you haven't yet completed the steps described in the [WDAC Design Guide](windows-defender-application-control-design-guide.md), do so now before proceeding. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md index 57db67bee8..6617b5581c 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md index 31c5d1fe8e..8d5d8dda4a 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-operational-guide.md @@ -27,7 +27,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). After designing and deploying your Windows Defender Application Control (WDAC) policies, this guide covers understanding the effects your policies are having and troubleshooting when they are not behaving as expected. It contains information on where to find events and what they mean, and also querying these events with Microsoft Defender for Endpoint Advanced Hunting feature. diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md index abe51d1188..9d17eb7f30 100644 --- a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md +++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md @@ -28,7 +28,7 @@ ms.technology: mde - Windows Server 2016 and above > [!NOTE] -> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md). +> Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Windows Defender Application Control feature availability](feature-availability.md). With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md index ed1a7fe460..203ac733d5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,36 +21,36 @@ ms.technology: mde **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 - -The **Account protection** section contains information and settings for account protection and sign in. IT administrators and IT pros can get more information and documentation about configuration from the following: +The **Account protection** section contains information and settings for account protection and sign-in. You can get more information about these capabilities from the following list: - [Microsoft Account](https://account.microsoft.com/account/faq) - [Windows Hello for Business](../../identity-protection/hello-for-business/hello-identity-verification.md) - [Lock your Windows 10 PC automatically when you step away from it](https://support.microsoft.com/help/4028111/windows-lock-your-windows-10-pc-automatically-when-you-step-away-from) -You can also choose to hide the section from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section. +You can also choose to hide the section from users of the device. This is useful if you don't want your employees to access or view user-configured options for these features. ## Hide the Account protection section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section won't appear on the home page of the Windows Security app, and its icon won't be shown on the navigation bar on the side of the app. -This can only be done in Group Policy. +You can only configure these settings by using Group Policy. >[!IMPORTANT] >### Requirements > >You must have Windows 10, version 1803 or later. The ADMX/ADML template files for earlier versions of Windows do not include these Group Policy settings. -1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and click **Edit**. +1. On your Group Policy management machine, open the [Group Policy Management Console](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc731212(v=ws.11)), right-click the Group Policy Object you want to configure and select **Edit**. -3. In the **Group Policy Management Editor** go to **Computer configuration** and click **Administrative templates**. +3. In the **Group Policy Management Editor** go to **Computer configuration** and select **Administrative templates**. 5. Expand the tree to **Windows components > Windows Security > Account protection**. -6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Click **OK**. +6. Open the **Hide the Account protection area** setting and set it to **Enabled**. Select **OK**. 7. [Deploy the updated GPO as you normally do](/windows/win32/srvnodes/group-policy). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md index 544e90142e..acfa2cee01 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md @@ -11,17 +11,18 @@ ms.localizationpriority: medium audience: ITPro author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # App and browser control **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **App and browser control** section contains information and settings for Windows Defender SmartScreen. IT administrators and IT pros can get configuration guidance from the [Windows Defender SmartScreen documentation library](/windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md index 33a2c7d531..9f9932bc80 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 09/13/2021 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Customize the Windows Security app for your organization **Applies to** -- Windows 10, version 1709 and later - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md index 13fce0f2d5..3672d5c25a 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,7 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 The **Device performance & health** section contains information about hardware, devices, and drivers related to the machine. IT administrators and IT pros should reference the appropriate documentation library for the issues they are seeing, such as the [configure the Load and unload device drivers security policy setting](/windows/device-security/security-policy-settings/load-and-unload-device-drivers) and how to [deploy drivers during Windows 10 deployment using Microsoft Endpoint Configuration Manager](/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md index f4d3053cd9..8526440bc9 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md @@ -10,17 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 10/02/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Device security **Applies to** -- Windows 10, version 1803 and later +- Windows 10 +- Windows 11 The **Device security** section contains information and settings for built-in device security. @@ -28,7 +29,7 @@ You can choose to hide the section from users of the machine. This can be useful ## Hide the Device security section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md index 274c66bd66..a9e4a148c5 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md @@ -10,10 +10,10 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -21,8 +21,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Family options** section contains links to settings and further information for parents of a Windows 10 PC. It is not generally intended for enterprise or business environments. @@ -33,7 +33,7 @@ In Windows 10, version 1709, the section can be hidden from users of the machine ## Hide the Family options section -You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigiation bar on the side of the app. +You can choose to hide the entire section by using Group Policy. The section will not appear on the home page of the Windows Security app, and its icon will not be shown on the navigation bar on the side of the app. This can only be done in Group Policy. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md index 3a14dc7c26..924bcd1150 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md @@ -9,10 +9,10 @@ ms.sitesec: library ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 04/30/2018 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- @@ -20,8 +20,8 @@ ms.technology: mde **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md). diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md index 0a1389c07b..a58b61c3b1 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-hide-notifications.md @@ -10,25 +10,18 @@ ms.pagetype: security ms.localizationpriority: medium author: dansimp ms.author: dansimp -ms.date: 07/23/2020 +ms.date: ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # Hide Windows Security app notifications **Applies to** -- Windows 10, version 1809 and above - -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Group Policy +- Windows 10 +- Windows 11 The Windows Security app is used by a number of Windows security features to provide notifications about the health and security of the machine. These include notifications about firewalls, antivirus products, Windows Defender SmartScreen, and others. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md index 87960171d1..2d43e965ba 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md @@ -12,16 +12,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- - # Virus and threat protection **Applies to** -- Windows 10, version 1703 and later - +- Windows 10 +- Windows 11 The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products. diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md index 30cc06c3d0..7f3ef48df0 100644 --- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md +++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md @@ -22,19 +22,11 @@ ms.technology: mde - Windows 10 in S mode, version 1803 -**Audience** - -- Enterprise security administrators - -**Manageability available with** - -- Microsoft Intune - Windows 10 in S mode is streamlined for tighter security and superior performance. With Windows 10 in S mode, users can only use apps from the Microsoft Store, ensuring Microsoft-verified security so you can minimize malware attacks. In addition, using Microsoft Edge provides a more secure browser experience, with extra protections against phishing and malicious software. The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically. -![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png) +:::image type="content" alt-text="Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode." source="images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png"::: For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode). diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md index cb27db7bfd..7d0a3187b2 100644 --- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md +++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md @@ -11,14 +11,15 @@ author: dansimp ms.author: dansimp ms.reviewer: manager: dansimp -ms.technology: mde +ms.technology: windows-sec --- # The Windows Security app **Applies to** -- Windows 10, version 1703 and later +- Windows 10 +- Windows 11 This library describes the Windows Security app, and provides information on configuring certain features, including: diff --git a/windows/security/threat-protection/windows-firewall/TOC.yml b/windows/security/threat-protection/windows-firewall/TOC.yml index efaa07fa4e..ca84e461a5 100644 --- a/windows/security/threat-protection/windows-firewall/TOC.yml +++ b/windows/security/threat-protection/windows-firewall/TOC.yml @@ -250,3 +250,5 @@ href: quarantine.md - name: Firewall settings lost on upgrade href: firewall-settings-lost-on-upgrade.md +- name: Windows security + href: /windows/security/ diff --git a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml b/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml deleted file mode 100644 index f7e0955409..0000000000 --- a/windows/security/threat-protection/windows-security-configuration-framework/TOC.yml +++ /dev/null @@ -1,9 +0,0 @@ -- name: Windows security guidance for enterprises - items: - - name: Windows security baselines - href: windows-security-baselines.md - items: - - name: Security Compliance Toolkit - href: security-compliance-toolkit-10.md - - name: Get support - href: get-support-for-security-baselines.md diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md index 170918a4fa..435be7648b 100644 --- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md +++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md @@ -11,22 +11,17 @@ manager: dansimp audience: ITPro ms.collection: M365-security-compliance ms.topic: conceptual -ms.date: 06/25/2018 +ms.date: ms.reviewer: ms.technology: mde --- # Windows security baselines -**Applies to** - -- Windows 10 -- Windows Server 2016 -- Office 2016 ## Using security baselines in your organization -Microsoft is dedicated to providing its customers with secure operating systems, such as Windows 10 and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. +Microsoft is dedicated to providing its customers with secure operating systems, such as Windows and Windows Server, and secure apps, such as Microsoft Edge. In addition to the security assurance of its products, Microsoft also enables you to have fine control over your environments by providing various configuration capabilities. Even though Windows and Windows Server are designed to be secure out-of-the-box, many organizations still want more granular control over their security configurations. To navigate the large number of controls, organizations need guidance on configuring various security features. Microsoft provides this guidance in the form of security baselines. @@ -56,12 +51,13 @@ You can use security baselines to: ## Where can I get the security baselines? -You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. +There are several ways to get and use security baselines: -The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. +1. You can download the security baselines from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=55319). This download page is for the Security Compliance Toolkit (SCT), which comprises tools that can assist admins in managing baselines in addition to the security baselines. The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. You can also [Get Support for the security baselines](get-support-for-security-baselines.md) -[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) -[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) +2. [MDM (Mobile Device Management) security baselines](/windows/client-management/mdm/#mdm-security-baseline.md) function like the Microsoft group policy-based security baselines and can easily integrate this into an existing MDM management tool. + +3. MDM Security baselines can easily be configures in Microsoft Endpoint Manager on devices that run Windows 10 and 11. The following article provides the detail steps: [Windows MDM (Mobile Device Management) baselines](/mem/intune/protect/security-baseline-settings-mdm-all.md). ## Community diff --git a/windows/security/trusted-boot.md b/windows/security/trusted-boot.md new file mode 100644 index 0000000000..6792a8df14 --- /dev/null +++ b/windows/security/trusted-boot.md @@ -0,0 +1,40 @@ +--- +title: Secure Boot and Trusted Boot +description: Trusted Boot prevents corrupted components from loading during the boot-up process in Windows 11 +search.appverid: MET150 +author: denisebmsft +ms.author: deniseb +manager: dansimp +audience: ITPro +ms.topic: conceptual +ms.date: 09/21/2021 +ms.prod: m365-security +ms.technology: windows-sec +ms.localizationpriority: medium +ms.collection: +ms.custom: +ms.reviewer: jsuther +f1.keywords: NOCSH +--- + +# Secure Boot and Trusted Boot + +*This article describes Secure Boot and Trusted Boot, security measures built into Windows 11.* + +Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows 11 device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows 11 system boots up safely and securely. + +## Secure Boot + +The first step in protecting the operating system is to ensure that it boots securely after the initial hardware and firmware boot sequences have safely finished their early boot sequences. Secure Boot makes a safe and trusted path from the Unified Extensible Firmware Interface (UEFI) through the Windows kernel's Trusted Boot sequence. Malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes throughout the boot sequence between the UEFI, bootloader, kernel, and application environments. + +As the PC begins the boot process, it will first verify that the firmware is digitally signed, reducing the risk of firmware rootkits. Secure Boot then checks all code that runs before the operating system and checks the OS bootloader’s digital signature to ensure that it is trusted by the Secure Boot policy and hasn’t been tampered with. + +## Trusted Boot + +Trusted Boot picks up the process that started with Secure Boot. The Windows bootloader verifies the digital signature of the Windows kernel before loading it. The Windows kernel, in turn, verifies every other component of the Windows startup process, including boot drivers, startup files, and your antimalware product’s early-launch antimalware (ELAM) driver. If any of these files were tampered, the bootloader detects the problem and refuses to load the corrupted component. Tampering or malware attacks on the Windows boot sequence are blocked by the signature-enforcement handshakes between the UEFI, bootloader, kernel, and application environments. + +Often, Windows can automatically repair the corrupted component, restoring the integrity of Windows and allowing the Windows 11 device to start normally. + +## See also + +[Secure the Windows boot process](information-protection/secure-the-windows-10-boot-process.md) \ No newline at end of file diff --git a/windows/security/zero-trust-windows-device-health.md b/windows/security/zero-trust-windows-device-health.md new file mode 100644 index 0000000000..1462084e1e --- /dev/null +++ b/windows/security/zero-trust-windows-device-health.md @@ -0,0 +1,71 @@ +--- +title: Zero Trust and Windows device health +description: Describes the process of Windows device health attestation +ms.reviewer: +ms.topic: article +manager: dansimp +ms.author: dansimp +ms.mktglfcycl: deploy +ms.sitesec: library +ms.pagetype: security +author: dansimp +ms.collection: M365-security-compliance +ms.prod: m365-security +ms.technology: windows-sec +--- + +# Zero Trust and Windows device health +Organizations need a security model that more effectively adapts to the complexity of the modern work environment. IT admins need to embrace the hybrid workplace, while protecting people, devices, apps, and data wherever they’re located. Implementing a Zero Trust model for security helps addresses today's complex environments. + +The [Zero Trust](https://www.microsoft.com/security/business/zero-trust) principles are: + +- **Verify explicitly**. Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and monitor anomalies. + +- **Use least-privileged access**. Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help secure data and maintain productivity. + +- **Assume breach**. Prevent attackers from obtaining access to minimize potential damage to data and systems. Protect privileged roles, verify end-to-end encryption, use analytics to get visibility, and drive threat detection to improve defenses. + +The Zero Trust concept of **verify explicitly** applies to the risks introduced by both devices and users. Windows enables **device health attestation** and **conditional access** capabilities, which are used to grant access to corporate resources. + +[Conditional access](/azure/active-directory/conditional-access/overview) evaluates identity signals to confirm that users are who they say they are before they are granted access to corporate resources. + +Windows 11 supports device health attestation, helping to confirm that devices are in a good state and have not been tampered with. This capability helps users access corporate resources whether they’re in the office, at home, or when they’re traveling. + +Attestation helps verify the identity and status of essential components and that the device, firmware, and boot process have not been altered. Information about the firmware, boot process, and software, is used to validate the security state of the device. This information is cryptographically stored in the security co-processor Trusted Platform Module (TPM). Once the device is attested, it can be granted access to resources. + +## Device health attestation on Windows + Many security risks can emerge during the boot process as this process can be the most privileged component of the whole system. The verification process uses remote attestation as the secure channel to determine and present the device’s health. Remote attestation determines: + +- If the device can be trusted +- If the operating system booted correctly +- If the OS has the right set of security features enabled + +These determinations are made with the help of a secure root of trust using the Trusted Platform Module (TPM). Devices can attest that the TPM is enabled, and that the device has not been tampered with. + +Windows includes many security features to help protect users from malware and attacks. However, trusting the Windows security components can only be achieved if the platform boots as expected and was not tampered with. Windows relies on Unified Extensible Firmware Interface (UEFI) Secure Boot, Early-launch antimalware (ELAM), Dynamic Root of Trust for Measurement (DRTM), Trusted Boot, and other low-level hardware and firmware security features. When you power on your PC until your anti-malware starts, Windows is backed with the appropriate hardware configuration to help keep you safe. [Measured and Trusted boot](information-protection/secure-the-windows-10-boot-process.md), implemented by bootloaders and BIOS, verifies and cryptographically records each step of the boot in a chained manner. These events are bound to a security coprocessor (TPM) that acts as the Root of Trust. Remote Attestation is the mechanism by which these events are read and verified by a service to provide a verifiable, unbiased, and tamper resilient report. Remote attestation is the trusted auditor of your system's boot, allowing specific entities to trust the device. + +A summary of the steps involved in attestation and Zero Trust on the device side are as follows: + +1. During each step of the boot process, such as a file load, update of special variables, and more, information such as file hashes and signature are measured in the TPM PCRs. The measurements are bound by a [Trusted Computing Group specification](https://trustedcomputinggroup.org/resource/pc-client-platform-tpm-profile-ptp-specification/) (TCG) that dictates what events can be recorded and the format of each event. + +2. Once Windows has booted, the attestor/verifier requests the TPM to fetch the measurements stored in its Platform Configuration Register (PCR) alongside a TCG log. Both of these together form the attestation evidence that is then sent to the attestation service. + +3. The TPM is verified by using the keys/cryptographic material available on the chipset with an [Azure Certificate Service](/windows-server/identity/ad-ds/manage/component-updates/tpm-key-attestation). + +4. This information is then sent to the attestation service in the cloud to verify that the device is safe. Microsoft Endpoint Manger (MEM) integrates with Microsoft Azure Attestation to review device health comprehensively and connect this information with AAD conditional access. This integration is key for Zero Trust solutions that help bind trust to an untrusted device. + +5. The attestation service does the following: + + - Verify the integrity of the evidence. This is done by validating the PCRs that match the values recomputed by replaying the TCG log. + - Verify that the TPM has a valid Attestation Identity Key issued by the authenticated TPM. + - Verify that the security features are in the expected states. + +6. The attestation service returns an attestation report that contains information about the security features based on the policy configured in the attestation service. + +7. The device then sends the report to the MEM cloud to assess the trustworthiness of the platform according to the admin-configured device compliance rules. + +8. Conditional access, along with device-compliance state then decides to allow or deny access. + +## Other Resources + +Learn more about Microsoft Zero Trust solutions in the [Zero Trust Guidance Center](/security/zero-trust/).