From c5fe080f8b87a39e655c18d74b2ceb201ebc77cf Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 14 Feb 2020 19:55:56 +0500 Subject: [PATCH 01/31] Addition of a question I have added a question based on user feedback. Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5423 --- .../identity-protection/hello-for-business/hello-faq.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 07be2bbf3d..17d8ffdc2a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -50,6 +50,9 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. +## Why is authentication failed after setting up PIN registration? +In hybrid mode a lot sync happened after enrollment for authentication to work. Authentication will only work when the sync between AD Connect server to Azure AD will be completed.This sync depends on the sync time setup for AD Connect server to Azure AD. + ## What is the password-less strategy? Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. From ad480566066da1f775137f67f567fb6acfc4da0e Mon Sep 17 00:00:00 2001 From: DanPandre <54847950+DanPandre@users.noreply.github.com> Date: Fri, 14 Feb 2020 10:38:03 -0500 Subject: [PATCH 02/31] Adding Feb 2020 CU to Surface Hub update history Documenting changes in 2B release --- devices/surface-hub/surface-hub-update-history.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/devices/surface-hub/surface-hub-update-history.md b/devices/surface-hub/surface-hub-update-history.md index 5d6989d80b..14d9c2c6b1 100644 --- a/devices/surface-hub/surface-hub-update-history.md +++ b/devices/surface-hub/surface-hub-update-history.md @@ -24,6 +24,18 @@ Please refer to the “[Surface Hub Important Information](https://support.micro ## Windows 10 Team Creators Update 1703 +
+February 11, 2020—update for Team edition based on KB4537765* (OS Build 15063.2284) + +This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include: + +* Resolves an issue where the Hub 2S cannot be heard well by other participants during Skype for Business calls. +* Improves reliability for some Arabic, Hebrew, and other RTL language usage scenarios on Surface Hub. + +Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services. +*[KB4537765](https://support.microsoft.com/help/4537765) +
+
January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254) From b9672d67dc77b862091848e4ab3265ecc8fcb5a1 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 14 Feb 2020 22:44:12 +0500 Subject: [PATCH 03/31] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 17d8ffdc2a..d6e5701e6a 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. ## Why is authentication failed after setting up PIN registration? -In hybrid mode a lot sync happened after enrollment for authentication to work. Authentication will only work when the sync between AD Connect server to Azure AD will be completed.This sync depends on the sync time setup for AD Connect server to Azure AD. +In hybrid mode, a lot of sync happen after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. ## What is the password-less strategy? Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. @@ -169,4 +169,3 @@ Windows Hello for Business can work with any third-party federation servers that ## Does Windows Hello for Business work with Mac and Linux clients? Windows Hello for Business is a feature of Windows 10. At this time, Microsoft is not developing clients for other platforms. However, Microsoft is open to third parties who are interested in moving these platforms away from passwords. Interested third parties can get more information by emailing [whfbfeedback@microsoft.com](mailto:whfbfeedback@microsoft.com?subject=collaboration). - From 069729b22debc4ac7d5da725152fbacdeed800bc Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Fri, 14 Feb 2020 22:44:55 +0500 Subject: [PATCH 04/31] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index d6e5701e6a..7708e35410 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -50,7 +50,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. -## Why is authentication failed after setting up PIN registration? +## Why does authentication fail after setting up PIN registration? In hybrid mode, a lot of sync happen after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. ## What is the password-less strategy? From 3b571c37ebe469cfd42fc9acded8db3805554794 Mon Sep 17 00:00:00 2001 From: Ikko Ashimine Date: Sun, 16 Feb 2020 18:05:16 +0900 Subject: [PATCH 05/31] Fix typo --- devices/surface-hub/surface-hub-2s-whats-new.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/devices/surface-hub/surface-hub-2s-whats-new.md b/devices/surface-hub/surface-hub-2s-whats-new.md index 13d7eb06ce..82589b360e 100644 --- a/devices/surface-hub/surface-hub-2s-whats-new.md +++ b/devices/surface-hub/surface-hub-2s-whats-new.md @@ -22,7 +22,7 @@ Surface Hub 2S is an all-in-one collaboration canvas that’s built for teamwork |**Mobile Device Management and UEFI manageability**| Manage settings and policies using a mobile device management (MDM) provider.

Full integration with Surface Enterprise Management Mode (SEMM) lets you manage hardware components and firmware. | [Managing Surface Hub 2S with Microsoft Intune](surface-hub-2s-manage-intune.md)

[Surface Enterprise Management Mode](https://docs.microsoft.com/surface/surface-enterprise-management-mode) | |**Cloud and on-premises coexistence**| Supports on-premises, hybrid, or online. | [Prepare your environment for Microsoft Surface Hub 2S](surface-hub-2s-prepare-environment.md) | |**Reset and recovery**| Restore from the cloud or USB drive. | [Recover and reset Surface Hub 2S](surface-hub-2s-recover-reset.md) | -|**Microsoft Whiteboard**| Ofice 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) | +|**Microsoft Whiteboard**| Office 365 integration, intelligent ink, and Bing search bring powerful new capabilities, enabling a persistent digital canvas shareable across most browsers, Windows and iOS devices. | [Announcing a new whiteboard for your Surface Hub](https://techcommunity.microsoft.com/t5/Office-365-Blog/Announcing-a-new-Whiteboard-for-your-Surface-Hub/ba-p/637050) | |**Microsoft Teams Meeting Room License**| Extends Office 365 licensing options across Skype for Business, Microsoft Teams, and Intune. | [Teams Meeting Room Licensing Update](https://docs.microsoft.com/MicrosoftTeams/room-systems/skype-room-systems-v2-0) | |**On-screen display**| Adjust volume, brightness, and input control directly on the display. | | |**Sensor-activated Connected Standby**| Doppler sensor activates Connected Standby after 1 minute of inactivity.

Manage this setting remotely using Intune or directly on the device from the Settings app. | [Surface Hub 2S tech specs](surface-hub-2s-techspecs.md) | From cf625df02cfbae95f3a397bdbd2639086e1ec4fe Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Tue, 18 Feb 2020 11:05:21 +0500 Subject: [PATCH 06/31] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com> --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 7708e35410..1afd73f1bc 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. ## Why does authentication fail after setting up PIN registration? -In hybrid mode, a lot of sync happen after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. +In hybrid mode, a lot of sync happens after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. ## What is the password-less strategy? Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. From 4f92b35f8ceade74e97d8d3e0083e0b3764d919f Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 27 Feb 2020 14:32:36 +0500 Subject: [PATCH 07/31] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: mapalko --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 1afd73f1bc..33caafa78f 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -50,7 +50,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join ## Can I use an external camera when my laptop is closed or docked? No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. -## Why does authentication fail after setting up PIN registration? +## Why does authentication fail immediately after provisioning Hybrid Key Trust? In hybrid mode, a lot of sync happens after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. ## What is the password-less strategy? From b8737350970352e8d264cb7828fef6fe4c65c1d7 Mon Sep 17 00:00:00 2001 From: ImranHabib <47118050+joinimran@users.noreply.github.com> Date: Thu, 27 Feb 2020 14:32:48 +0500 Subject: [PATCH 08/31] Update windows/security/identity-protection/hello-for-business/hello-faq.md Co-Authored-By: mapalko --- .../identity-protection/hello-for-business/hello-faq.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-faq.md b/windows/security/identity-protection/hello-for-business/hello-faq.md index 33caafa78f..7d47fb49d1 100644 --- a/windows/security/identity-protection/hello-for-business/hello-faq.md +++ b/windows/security/identity-protection/hello-for-business/hello-faq.md @@ -51,7 +51,7 @@ It is currently possible to set a convenience PIN on Azure Active Directory Join No. Windows 10 currently only supports one Windows Hello for Business camera and does not fluidly switch to an external camera when the computer is docked with the lid closed. The product group is aware of this and is investigating this topic further. ## Why does authentication fail immediately after provisioning Hybrid Key Trust? -In hybrid mode, a lot of sync happens after enrollment for authentication to work. Authentication will only work when the sync between the AD Connect server to Azure AD is completed. This sync depends on the sync time setup for AD Connect server to Azure AD. +In a hybrid deployment, a user's public key must sync from Azure AD to AD before it can be used to authenticate against a domain controller. This sync is handled by Azure AD Connect and will occur during a normal sync cycle. ## What is the password-less strategy? Watch Principal Program Manager Karanbir Singh's Ignite 2017 presentation **Microsoft's guide for going password-less**. From 56f1d269c5da51d5c3a40c94910d9ce69569b882 Mon Sep 17 00:00:00 2001 From: Reuven Peleg Date: Sun, 1 Mar 2020 14:49:57 +0200 Subject: [PATCH 09/31] Unite the bold text of a selected option This is a single option in the configuration and splitting the bold text sections makes it look like there are 3 different options. --- .../hello-for-business/hello-key-trust-validate-pki.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 57a2493e4c..924d595335 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -151,7 +151,7 @@ Domain controllers automatically request a certificate from the domain controlle 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. 9. Select **Enabled** from the **Configuration Model** list. -10. Select the **Renew expired certificates**, **update pending certificates**, and **remove revoked certificates** check box. +10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. 11. Select the **Update certificates that use certificate templates** check box. 12. Click **OK**. Close the **Group Policy Management Editor**. From 1c655b9bfdeff9c94fae0dec0324996a1afcf204 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Mon, 2 Mar 2020 13:26:22 +0530 Subject: [PATCH 10/31] fixed broken link for VBS as per the user report #6142 , i replaced invalid link to new link **https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs** --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 05dc390aef..cbdce6583b 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -64,7 +64,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Windows Security Center](images/secure-launch-msinfo.png) >[!NOTE] ->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity). +>To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs). ## System requirements for System Guard From 46605a4dbaa8abba22b31b0258b4f5ff56d92a91 Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 3 Mar 2020 05:21:23 +0530 Subject: [PATCH 11/31] Update windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md Accepted Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index cbdce6583b..0c2f795a36 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -64,7 +64,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Windows Security Center](images/secure-launch-msinfo.png) >[!NOTE] ->To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/en-us/windows-hardware/design/device-experiences/oem-vbs). +> To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs). ## System requirements for System Guard From 0644975895ebe548f1c3b78e110ef15c0b39527b Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 2 Mar 2020 15:51:32 -0800 Subject: [PATCH 12/31] Documented filename levels options for -SpecificFileName --- .../select-types-of-rules-to-create.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 97443ac815..0d18e4c596 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -126,3 +126,17 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard > [!NOTE] > Due to an existing bug, you can not combine Path-based ALLOW rules with any DENY rules in a single policy. Instead, either separate DENY rules into a separate Base policy or move the Path-based ALLOW rules into a supplemental policy as described in [Deploy multiple WDAC policies.](deploy-multiple-windows-defender-application-control-policies.md) + +## Windows Defender Application Control filename rules + +File name rule levels provide administrators to specify the level + +**Table 3. Windows Defender Application Control policy - filename levels** + +| Rule level | Description | +|----------- | ----------- | +| **File Description** | Specifies the file description provided by the developer of the binary. | +| **Internal Name** | Specifies the internal name of the binary. | +| **Original File Name** | Specifies the original file name, or the name with which the file was first created, of the binary. | +| **Package Family Name** | Specifies the package family name of the binary. The package family name consists of two parts: the name of the file and the publisher ID. | +| **Product Name** | Specifies the name of the product with which the binary ships. | From 5cc7f2c9edd007add6b1873a41affc44556ec42a Mon Sep 17 00:00:00 2001 From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com> Date: Tue, 3 Mar 2020 05:21:45 +0530 Subject: [PATCH 13/31] Update windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md Ok Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com> --- .../system-guard-secure-launch-and-smm-protection.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 0c2f795a36..961ea92625 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -63,7 +63,7 @@ To verify that Secure Launch is running, use System Information (MSInfo32). Clic ![Windows Security Center](images/secure-launch-msinfo.png) ->[!NOTE] +> [!NOTE] > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](https://docs.microsoft.com/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control), [Credential Guard](https://docs.microsoft.com/windows/security/identity-protection/credential-guard/credential-guard-requirements), and [Virtualization Based Security](https://docs.microsoft.com/windows-hardware/design/device-experiences/oem-vbs). ## System requirements for System Guard From e22aae5e61653455de616f2f44889bce84a2d181 Mon Sep 17 00:00:00 2001 From: Jordan Geurten Date: Mon, 2 Mar 2020 16:17:33 -0800 Subject: [PATCH 14/31] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 0d18e4c596..109843079b 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -129,7 +129,9 @@ Wildcards can be used at the beginning or end of a path rule; only one wildcard ## Windows Defender Application Control filename rules -File name rule levels provide administrators to specify the level +File name rule levels provide administrators to specify the file attributes off which to base a file name rule. File name rules do not provide the same security guarantees that explicit signer rules do, as they are based on mutable access permissions. Specification of the file name level occurs when creating new policy rules. In addition, to combine file name levels found in multiple policies, you can merge multiple policies. + +Use Table 3 to select the appropriate file name level for your available administrative resources and Windows Defender Application Control deployment scenario. **Table 3. Windows Defender Application Control policy - filename levels** From 1a235becf4655989ba1beacf8d8ccf54bdf74078 Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Tue, 3 Mar 2020 13:54:45 -0500 Subject: [PATCH 15/31] Fixing steps to pad hash --- windows/deployment/windows-autopilot/troubleshooting.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index 010a4d2420..b2e13bb564 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -67,10 +67,10 @@ So, as an example (this is not a device hash, but it's misaligned unpadded Base6 Now for the padding rules. The padding character is "=". The padding character can only be at the end of the hash, and there can only be a maximum of 2 padding characters. Here's the basic logic. - Does decoding the hash fail? - - Yes: Are the last two characters "="? - - Yes: Replace both "=" with a single "A" character, then try again - - No: Add another "=" character at the end, then try again - - No: That hash is valid + - Yes: Are the last two characters "="? + - Yes: Replace both "=" with a single "A" character, then try again + - No: Add another "=" character at the end, then try again + - No: That hash is valid Looping the logic above on the previous example hash, we get the following permutations: - Q29udG9zbwAAA From 4195929792e7c6be49074f9835d622b075d8a4cd Mon Sep 17 00:00:00 2001 From: Michael Niehaus Date: Tue, 3 Mar 2020 11:37:08 -0800 Subject: [PATCH 16/31] Update known-issues.md Added a note about using PPKGs with Autopilot. --- windows/deployment/windows-autopilot/known-issues.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 5be64cc194..418dc0201b 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -71,6 +71,7 @@ This happens because Windows 10, version 1903 deletes the AutopilotConfiguration Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. +Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.Using PPKGs in combination with Windows Autopilot is not recommended. ## Related topics From e7a151d15576a7614d0a9b429c4792361d278357 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 Mar 2020 11:24:22 +0100 Subject: [PATCH 17/31] update linux-install-manually.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../linux-install-manually.md | 37 ++++++++++--------- 1 file changed, 19 insertions(+), 18 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 79bae6b394..789eeca122 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -1,6 +1,6 @@ --- title: Deploy Microsoft Defender ATP for Linux manually -ms.reviewer: +ms.reviewer: description: Describes how to deploy Microsoft Defender ATP for Linux manually from the command line. keywords: microsoft, defender, atp, linux, installation, deploy, uninstallation, puppet, ansible, linux, redhat, ubuntu, debian, sles, suse, centos search.product: eADQiWindows 10XVcnh @@ -14,7 +14,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -53,13 +53,13 @@ In order to preview new features and provide early feedback, it is recommended t > In case of Oracle EL and CentOS 8, replace *[distro]* with “rhel”. ```bash - sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel: + For example, if you are running CentOS 7 and wish to deploy MDATP for Linux from the *insider-fast* channel: ```bash - sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo + sudo yum-config-manager --add-repo=https://packages.microsoft.com/config/centos/7/insiders-fast.repo ``` - Install the Microsoft GPG public key: @@ -67,12 +67,18 @@ In order to preview new features and provide early feedback, it is recommended t ```bash curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc ``` - + ```bash sudo rpm --import microsoft.asc ``` -- Download and make usable all the metadata for the currently enabled yum repositories: +- Install `yum-utils` if it is not already installed: + + ```bash + sudo yum install yum-utils + ``` + +- Download and make usable all the metadata for the currently enabled yum repositories: ```bash yum makecache @@ -85,10 +91,10 @@ In order to preview new features and provide early feedback, it is recommended t In the following commands, replace *[distro]* and *[version]* with the information you've identified: ```bash - sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo + sudo zypper addrepo -c -f -n microsoft-[channel] https://packages.microsoft.com/config/[distro]/[version]/[channel].repo ``` - For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel: + For example, if you are running SLES 12 and wish to deploy MDATP for Linux from the *insider-fast* channel: ```bash sudo zypper addrepo -c -f -n microsoft-insiders-fast https://packages.microsoft.com/config/sles/12/insiders-fast.repo @@ -99,7 +105,7 @@ In order to preview new features and provide early feedback, it is recommended t ```bash curl https://packages.microsoft.com/keys/microsoft.asc > microsoft.asc ``` - + ```bash rpm --import microsoft.asc ``` @@ -123,7 +129,7 @@ In order to preview new features and provide early feedback, it is recommended t For example, if you are running Ubuntu 18.04 and wish to deploy MDATP for Linux from the *insider-fast* channel: ```bash - curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list + curl -o microsoft.list https://packages.microsoft.com/config/ubuntu/18.04/insiders-fast.list ``` - Install the repository configuration: @@ -141,12 +147,7 @@ In order to preview new features and provide early feedback, it is recommended t - Install the Microsoft GPG public key: ```bash - curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg - ``` - - ```bash - sudo mv microsoft.gpg /etc/apt/trusted.gpg.d/ - + curl https://packages.microsoft.com/keys/microsoft.asc | apt-key add - ``` - Install the https driver if it's not already present: @@ -193,7 +194,7 @@ Download the onboarding package from Microsoft Defender Security Center: 4. From a command prompt, verify that you have the file. Extract the contents of the archive: - + ```bash ls -l total 8 From 6bcd27a58c3b65a6428cdf9bdd6e85a38c1010f7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 Mar 2020 13:43:43 +0100 Subject: [PATCH 18/31] add libplist-utils MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/linux-install-manually.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md index 789eeca122..931ca5edf7 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md +++ b/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually.md @@ -118,6 +118,12 @@ In order to preview new features and provide early feedback, it is recommended t sudo apt-get install curl ``` +- Install `libplist-utils` if it is not already installed: + + ```bash + sudo apt-get install libplist-utils + ``` + - Note your distribution and version, and identify the closest entry for it under `https://packages.microsoft.com/config`. In the below command, replace *[distro]* and *[version]* with the information you've identified: From 1210b9189ffea55667fd9e82e166c86e4f94f649 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 4 Mar 2020 14:36:25 +0100 Subject: [PATCH 19/31] add Mac quarantine location, ref ##6078 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- .../microsoft-defender-atp/mac-resources.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md index e35c4b95e5..d658cb4cb4 100644 --- a/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md +++ b/windows/security/threat-protection/microsoft-defender-atp/mac-resources.md @@ -13,7 +13,7 @@ author: dansimp ms.localizationpriority: medium manager: dansimp audience: ITPro -ms.collection: M365-security-compliance +ms.collection: M365-security-compliance ms.topic: conceptual --- @@ -59,7 +59,7 @@ If you can reproduce a problem, please increase the logging level, run the syste If an error occurs during installation, the installer will only report a general failure. -The detailed log will be saved to /Library/Logs/Microsoft/mdatp/install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. +The detailed log will be saved to `/Library/Logs/Microsoft/mdatp/install.log`. If you experience issues during installation, send us this file so we can help diagnose the cause. ## Uninstalling @@ -72,6 +72,7 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note ### From the command line - ```sudo rm -rf '/Applications/Microsoft Defender ATP.app'``` +- ```sudo rm -rf '/Library/Application Support/Microsoft/Defender/'``` ## Configuring from the command line @@ -98,6 +99,10 @@ Important tasks, such as controlling product settings and triggering on-demand s |EDR |Add group tag to machine. EDR tags are used for managing machine groups. For more information, please visit https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/machine-groups |`mdatp --edr --set-tag GROUP [name]` | |EDR |Remove group tag from machine |`mdatp --edr --remove-tag [name]` | +## Client Microsoft Defender ATP quarantine directory + +`/Library/Application Support/Microsoft/Defender/quarantine/` contains the files quarantined by `mdatp`. The files are named after the threat trackingId. The current trackingIds is shown with `mdatp --threat --list --pretty`. + ## Microsoft Defender ATP portal information In the Microsoft Defender ATP portal, you'll see two categories of information. @@ -121,6 +126,6 @@ Device information, including: - Computer model - Processor architecture - Whether the device is a virtual machine - + > [!NOTE] > Certain device information might be subject to upcoming releases. To send us feedback, use the Microsoft Defender ATP for Mac app and select **Help** > **Send feedback** on your device. Optionally, use the **Feedback** button in the Microsoft Defender Security Center. From 65a340b0ac2bb1fa40f5e9a6e77ac5e220196b60 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 4 Mar 2020 07:54:32 -0800 Subject: [PATCH 20/31] Update select-types-of-rules-to-create.md --- .../select-types-of-rules-to-create.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md index 109843079b..44fd750878 100644 --- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md +++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md @@ -14,7 +14,7 @@ author: jsuther1974 ms.reviewer: isbrahm ms.author: dansimp manager: dansimp -ms.date: 02/24/2020 +ms.date: 03/04/2020 --- # Understand WDAC policy rules and file rules From f11f9665a8c391070cfc272decb6e5af053fea1a Mon Sep 17 00:00:00 2001 From: Daniel Simpson Date: Wed, 4 Mar 2020 08:44:49 -0800 Subject: [PATCH 21/31] Update known-issues.md --- windows/deployment/windows-autopilot/known-issues.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/deployment/windows-autopilot/known-issues.md b/windows/deployment/windows-autopilot/known-issues.md index 418dc0201b..fe874d593f 100644 --- a/windows/deployment/windows-autopilot/known-issues.md +++ b/windows/deployment/windows-autopilot/known-issues.md @@ -71,7 +71,7 @@ This happens because Windows 10, version 1903 deletes the AutopilotConfiguration Error importing Windows Autopilot devices from a .csv fileEnsure that you have not edited the .csv file in Microsoft Excel or an editor other than Notepad. Some of these editors can introduce extra characters causing the file format to be invalid. Windows Autopilot for existing devices does not follow the Autopilot OOBE experience.Ensure that the JSON profile file is saved in ANSI/ASCII format, not Unicode or UTF-8. Something went wrong is displayed page during OOBE.The client is likely unable to access all the required AAD/MSA-related URLs. For more information, see Networking requirements. -Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.Using PPKGs in combination with Windows Autopilot is not recommended. +Using a provisioning package in combination with Windows Autopilot can cause issues, especially if the PPKG contains join, enrollment, or device name information.Using PPKGs in combination with Windows Autopilot is not recommended. ## Related topics From 47f446904f44d3c3c5f0c9fad0fc38b1a970d225 Mon Sep 17 00:00:00 2001 From: ShrCaJesmo <54860945+ShrCaJesmo@users.noreply.github.com> Date: Wed, 4 Mar 2020 12:08:51 -0500 Subject: [PATCH 22/31] Update troubleshooting.md Adds a note not to delete the associated azure object, with remediation steps if it's been deleted. --- windows/deployment/windows-autopilot/troubleshooting.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md index b2e13bb564..a03e5fbb55 100644 --- a/windows/deployment/windows-autopilot/troubleshooting.md +++ b/windows/deployment/windows-autopilot/troubleshooting.md @@ -128,6 +128,8 @@ On devices running a [supported version](https://docs.microsoft.com/windows/rele The most common issue joining a device to Azure AD is related to Azure AD permissions. Ensure [the correct configuration is in place](windows-autopilot-requirements.md) to allow users to join devices to Azure AD. Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD. +An Azure AD device is created upon import - it's important that this object not be deleted. It acts as Autopilot's anchor in AAD for group membership and targeting (including the profile) and can lead to join errors if it's deleted. Once this object has been deleted, to fix the issue, deleting and reimporting this autopilot hash will be necessary so it can recreate the associated object. + Error code 801C0003 will typically be reported on an error page titled "Something went wrong". This error means that the Azure AD join failed. ## Troubleshooting Intune enrollment issues From a38e6c898743d94d7d18d1c1b2d61cf1195a2650 Mon Sep 17 00:00:00 2001 From: Kurt Sarens <56369685+kurtsarens@users.noreply.github.com> Date: Wed, 4 Mar 2020 09:41:30 -0800 Subject: [PATCH 23/31] Update manage-updates-baselines-windows-defender-antivirus.md --- ...es-baselines-windows-defender-antivirus.md | 26 ++++++++++++++++++- 1 file changed, 25 insertions(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 7ebc368cbc..85e32bc104 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -36,12 +36,36 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. +Engine updates are included with the Security intelligence updates and are released on a monthly cadense. + ## Product updates -Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "engine updates" and "platform updates"), and will receive major feature updates alongside Windows 10 releases. +Windows Defender Antivirus requires [monthly updates](https://support.microsoft.com/help/4052623/update-for-windows-defender-antimalware-platform) (known as "platform updates"), and will receive major feature updates alongside Windows 10 releases. You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. +## Released platform -and engine versions +Only the main version is listed in the below table as reference + +Month | Platform/Client | Engine +---|---|--- +Feb-2020 | - | 1.1.16800.x +Jan-2020 | 4.18.2001.x | 1.1.16700.x +Dec-2019 | - | - | +Nov-2019 | 4.18.1911.x | 1.1.16600.x +Oct-2019 | 4.18.1910.x | 1.1.16500.x +Sep-2019 | 4.18.1909.x | 1.1.16400.x +Aug-2019 | 4.18.1908.x | 1.1.16300.x +Jul-2019 | 4.18.1907.x | 1.1.16200.x +Jun-2019 | 4.18.1906.x | 1.1.16100.x +May-2019 | 4.18.1905.x | 1.1.16000.x +Apr-2019 | 4.18.1904.x | 1.1.15900.x +Mar-2019 | 4.18.1903.x | 1.1.15800.x +Feb-2019 | 4.18.1902.x | 1.1.15700.x +Jan-2019 | 4.18.1901.x | 1.1.15600.x +Dec-18 | 4.18.1812.X | 1.1.15500.x + + ## In this section Topic | Description From 62b66b0300651bb5932bf61531b55bec5ccb12de Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 4 Mar 2020 10:07:49 -0800 Subject: [PATCH 24/31] Update manage-updates-baselines-windows-defender-antivirus.md --- .../manage-updates-baselines-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 85e32bc104..f7c32de337 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -12,7 +12,7 @@ ms.localizationpriority: medium author: denisebmsft ms.author: deniseb ms.custom: nextgen -ms.date: 09/03/2018 +ms.date: 03/04/2020 ms.reviewer: manager: dansimp --- From e9ea86935e984641932b72a8dfc2839e4f2c7304 Mon Sep 17 00:00:00 2001 From: Denise Vangel-MSFT Date: Wed, 4 Mar 2020 10:09:01 -0800 Subject: [PATCH 25/31] Update manage-updates-baselines-windows-defender-antivirus.md --- ...anage-updates-baselines-windows-defender-antivirus.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index f7c32de337..42608c4979 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -24,8 +24,8 @@ manager: dansimp - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559) There are two types of updates related to keeping Windows Defender Antivirus up to date: -1. Protection updates +1. Protection updates 2. Product updates You can also apply [Windows security baselines](https://technet.microsoft.com/itpro/windows/keep-secure/windows-security-baselines) to quickly bring your endpoints up to a uniform level of protection. @@ -44,8 +44,9 @@ Windows Defender Antivirus requires [monthly updates](https://support.microsoft. You can manage the distribution of updates through Windows Server Update Service (WSUS), with [Microsoft Endpoint Configuration Manager](https://docs.microsoft.com/configmgr/sum/understand/software-updates-introduction), or in the normal manner that you deploy Microsoft and Windows updates to endpoints in your network. -## Released platform -and engine versions -Only the main version is listed in the below table as reference +## Released platform and engine versions + +Only the main version is listed in the following table as reference information: Month | Platform/Client | Engine ---|---|--- @@ -68,7 +69,7 @@ Dec-18 | 4.18.1812.X | 1.1.15500.x ## In this section -Topic | Description +Article | Description ---|--- [Manage how protection updates are downloaded and applied](manage-protection-updates-windows-defender-antivirus.md) | Protection updates can be delivered through a number of sources. [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md) | You can schedule when protection updates should be downloaded. From c2e4a1ebd8e8daf9e434df2e42abe45d122bb8c2 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 4 Mar 2020 13:53:42 -0800 Subject: [PATCH 26/31] Acrolinx spelling: corrected "cadense" --- .../manage-updates-baselines-windows-defender-antivirus.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md index 42608c4979..5184c72aca 100644 --- a/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md +++ b/windows/security/threat-protection/windows-defender-antivirus/manage-updates-baselines-windows-defender-antivirus.md @@ -36,7 +36,7 @@ Windows Defender Antivirus uses both [cloud-delivered protection](utilize-micros The cloud-delivered protection is always on and requires an active connection to the Internet to function, while the protection updates generally occur once a day (although this can be configured). See the [Utilize Microsoft cloud-provided protection in Windows Defender Antivirus](utilize-microsoft-cloud-protection-windows-defender-antivirus.md) topic for more details about enabling and configuring cloud-provided protection. -Engine updates are included with the Security intelligence updates and are released on a monthly cadense. +Engine updates are included with the Security intelligence updates and are released on a monthly cadence. ## Product updates From ffb182a4a241d64c3b79d8cd27727b9ce93a55f6 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 4 Mar 2020 14:04:52 -0800 Subject: [PATCH 27/31] Corrected note markup, added white space --- .../hello-key-trust-validate-pki.md | 71 +++++++++++++++++-- 1 file changed, 64 insertions(+), 7 deletions(-) diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md index 924d595335..7a49cdb675 100644 --- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md +++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md @@ -64,14 +64,24 @@ Domain controllers automatically request a domain controller certificate (if pub By default, the Active Directory Certificate Authority provides and publishes the Kerberos Authentication certificate template. However, the cryptography configuration included in the provided template is based on older and less performant cryptography APIs. To ensure domain controllers request the proper certificate with the best available cryptography, use the Kerberos Authentication certificate template as a baseline to create an updated domain controller certificate template. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list. + 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + 6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected. Select **None** from the **Subject name format** list. Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items. + 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + 8. Close the console. ### Superseding the existing Domain Controller certificate @@ -81,14 +91,23 @@ Many domain controllers may have an existing domain controller certificate. The The Kerberos Authentication certificate template is the most current certificate template designated for domain controllers and should be the one you deploy to all your domain controllers (2008 or later). The autoenrollment feature in Windows enables you to effortlessly replace these domain controller certificates. You can use the following configuration to replace older domain controller certificates with a new certificate using the Kerberos Authentication certificate template. Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**. + 4. Click the **Superseded Templates** tab. Click **Add**. + 5. From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**. Click **Add**. + 6. From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**. + 7. From the **Add Superseded Template dialog**, select the **Kerberos Authentication** certificate template and click **OK**. + 8. Add any other enterprise certificate templates that were previously configured for domain controllers to the **Superseded Templates** tab. + 9. Click **OK** and close the **Certificate Templates** console. The certificate template is configured to supersede all the certificate templates provided in the certificate templates superseded templates list. However, the certificate template and the superseding of certificate templates is not active until you publish the certificate template to one or more certificate authorities. @@ -98,16 +117,28 @@ The certificate template is configured to supersede all the certificate template Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate. Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Right-click **Certificate Templates** and click **Manage**. + 3. In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**. + 4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list. -5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. - **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + +5. On the **General** tab, type **Internal Web Server** in **Template display name**. Adjust the validity and renewal period to meet your enterprise’s needs. + + > [!NOTE] + > If you use different template names, you’ll need to remember and substitute these names in different portions of the lab. + 6. On the **Request Handling** tab, select **Allow private key to be exported**. + 7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected. + 8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box. Click **OK**. Select the **Allow** check box next to the **Enroll** permission. -9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + +9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list. Click **OK**. + 10. Close the console. ### Unpublish Superseded Certificate Templates @@ -117,10 +148,15 @@ The certificate authority only issues certificates based on published certificat The newly created domain controller authentication certificate template supersedes previous domain controller certificate templates. Therefore, you need to unpublish these certificate templates from all issuing certificate authorities. Sign-in to the certificate authority or management workstation with _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Domain Controller** certificate template in the content pane and select **Delete**. Click **Yes** on the **Disable certificate templates** window. + 5. Repeat step 4 for the **Domain Controller Authentication** and **Kerberos Authentication** certificate templates. ### Publish Certificate Templates to the Certificate Authority @@ -128,13 +164,20 @@ Sign-in to the certificate authority or management workstation with _Enterprise The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate. Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials. + 1. Open the **Certificate Authority** management console. + 2. Expand the parent node from the navigation pane. + 3. Click **Certificate Templates** in the navigation pane. + 4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue. + 5. In the **Enable Certificates Templates** window, select the **Domain Controller Authentication (Kerberos)**, and **Internal Web Server** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority. + 6. If you published the Domain Controller Authentication (Kerberos) certificate template, then you should unpublish the certificate templates you included in the superseded templates list. - * To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. + + \* To unpublish a certificate template, right-click the certificate template you want to unpublish in the details pane of the Certificate Authority console and select **Delete**. Click **Yes** to confirm the operation. 7. Close the console. @@ -143,23 +186,37 @@ Sign-in to the certificate authority or management workstations with an _Enterpr Domain controllers automatically request a certificate from the domain controller certificate template. However, the domain controller is unaware of newer certificate templates or superseded configurations on certificate templates. To continue automatic enrollment and renewal of domain controller certificates that understand newer certificate template and superseded certificate template configurations, create and configure a Group Policy object for automatic certificate enrollment and link the Group Policy object to the Domain Controllers OU. 1. Start the **Group Policy Management Console** (gpmc.msc) + 2. Expand the domain and select the **Group Policy Object** node in the navigation pane. + 3. Right-click **Group Policy object** and select **New** + 4. Type *Domain Controller Auto Certificate Enrollment* in the name box and click **OK**. + 5. Right-click the **Domain Controller Auto Certificate Enrollment** Group Policy object and click **Edit**. + 6. In the navigation pane, expand **Policies** under **Computer Configuration**. + 7. Expand **Windows Settings**, **Security Settings**, and click **Public Key Policies**. + 8. In the details pane, right-click **Certificate Services Client – Auto-Enrollment** and select **Properties**. + 9. Select **Enabled** from the **Configuration Model** list. + 10. Select the **Renew expired certificates, update pending certificates, and remove revoked certificates** check box. + 11. Select the **Update certificates that use certificate templates** check box. + 12. Click **OK**. Close the **Group Policy Management Editor**. ### Deploy the Domain Controller Auto Certificate Enrollment Group Policy Object Sign-in to a domain controller or management workstations with _Domain Admin_ equivalent credentials. -1. Start the **Group Policy Management Console** (gpmc.msc) -2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…** + +1. Start the **Group Policy Management Console** (gpmc.msc). + +2. In the navigation pane, expand the domain and expand the node that has your Active Directory domain name. Right-click the **Domain Controllers** organizational unit and click **Link an existing GPO…**. + 3. In the **Select GPO** dialog box, select **Domain Controller Auto Certificate Enrollment** or the name of the domain controller certificate enrollment Group Policy object you previously created and click **OK**. ### Validating your work From 51b801b921c1e978edf2bb3eaafc1f178c946ddf Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 4 Mar 2020 14:08:26 -0800 Subject: [PATCH 28/31] Indented content in lists, added white space --- ...tem-guard-secure-launch-and-smm-protection.md | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 961ea92625..d1b5d5b5b0 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -34,25 +34,31 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) ### Group Policy 1. Click **Start** > type and then click **Edit group policy**. + 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. -![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Group Policy](images/secure-launch-group-policy.png) ### Windows Security Center -Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. - -![Windows Security Center](images/secure-launch-security-app.png) +Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** +> **Core isolation** > **Firmware protection**. + ![Windows Security Center](images/secure-launch-security-app.png) + ### Registry 1. Open Registry editor. + 2. Click **HKEY_LOCAL_MACHINE** > **SYSTEM** > **CurrentControlSet** > **Control** > **DeviceGuard** > **Scenarios**. + 3. Right-click **Scenarios** > **New** > **Key** and name the new key **SystemGuard**. + 4. Right-click **SystemGuard** > **New** > **DWORD (32-bit) Value** and name the new DWORD **Enabled**. + 5. Double-click **Enabled**, change the value to **1**, and click **OK**. -![Secure Launch Registry](images/secure-launch-registry.png) + ![Secure Launch Registry](images/secure-launch-registry.png) > [!IMPORTANT] > If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor. From 7fe4f4f9d1b57f9b1bb2f39146555c7106ee6c58 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 4 Mar 2020 14:52:17 -0800 Subject: [PATCH 29/31] Indenting, second attempt --- .../system-guard-secure-launch-and-smm-protection.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index d1b5d5b5b0..0cec6c7dba 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -37,7 +37,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**. - ![Secure Launch Group Policy](images/secure-launch-group-policy.png) + ![Secure Launch Group Policy](images/secure-launch-group-policy.png) ### Windows Security Center @@ -58,7 +58,7 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** > 5. Double-click **Enabled**, change the value to **1**, and click **OK**. - ![Secure Launch Registry](images/secure-launch-registry.png) + ![Secure Launch Registry](images/secure-launch-registry.png) > [!IMPORTANT] > If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor. From 2f55083001e330f28a129460560128bec1070f98 Mon Sep 17 00:00:00 2001 From: Gary Moore Date: Wed, 4 Mar 2020 15:13:43 -0800 Subject: [PATCH 30/31] Eliminated line break before angle bracket When using angle brackets in a UI path, you can't have a line break right before an angle bracket. --- .../system-guard-secure-launch-and-smm-protection.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md index 0cec6c7dba..f46696402c 100644 --- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md +++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md @@ -41,8 +41,7 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM) ### Windows Security Center -Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** -> **Core isolation** > **Firmware protection**. +Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**. ![Windows Security Center](images/secure-launch-security-app.png) From 45657d074e9e374699dfc0b62d10fa1c54a722b1 Mon Sep 17 00:00:00 2001 From: Greg Lindsay Date: Wed, 4 Mar 2020 15:48:59 -0800 Subject: [PATCH 31/31] fix line feed --- .../deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md | 1 + 1 file changed, 1 insertion(+) diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md index 67a08c0ff5..f9bbb31cba 100644 --- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md +++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md @@ -158,6 +158,7 @@ In order to deploy Windows 10 with MDT successfully, you need drivers for the b - Dell Latitude 7390 - HP EliteBook 8560w - Microsoft Surface Pro + For boot images, you need to have storage and network drivers; for the operating system, you need to have the full suite of drivers. >[!NOTE]